Federal Housing Finance Agency Print

 Advisory Bulletins

 

 

Enterprise Fair Lending and Fair Housing Compliance36635Fannie Mae & Freddie Mac12/20/2021 5:00:00 AMAB 2021-04<table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;inherit;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;border-spacing&#58;0px;table-layout&#58;fixed;background-color&#58;#ffffff;"><tbody style="border&#58;0px;font&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;"><tr style="border&#58;0px;font&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;"><td class="ms-rteTable-default" style="font&#58;inherit;margin&#58;0px;width&#58;776px;"><p style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;line-height&#58;22px;vertical-align&#58;baseline;padding&#58;0px;color&#58;#404040 !important;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;">​​​​​ADVISORY BULLETIN</span></p><p style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;line-height&#58;22px;vertical-align&#58;baseline;padding&#58;0px;color&#58;#404040 !important;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;">AB 2021-04&#58;&#160; Enterprise Fair Landing and Fair Housing Compliance</span></p><p style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;line-height&#58;22px;vertical-align&#58;baseline;padding&#58;0px;color&#58;#404040 !important;"><span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;"><a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB%202021-04%20Enterprise%20Fair%20Lending%20and%20Fair%20Housing%20Compliance.pdf">[view&#160;PDF of Advisory&#160;Bulletin 2021-04]</a></span></p></td></tr></tbody></table><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;text-align&#58;justify;color&#58;#404040 !important;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;line-height&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;text-decoration-line&#58;underline;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;"> <em style="border&#58;0px;font-variant&#58;inherit;font-weight&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;"></em></span></span></p><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;color&#58;#404040 !important;"> <em style="border&#58;0px;font-variant&#58;inherit;font-weight&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;text-decoration-line&#58;underline;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;">Purpose</span></em><br></p><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;color&#58;#404040 !important;">​<span style="font-size&#58;11pt;line-height&#58;107%;font-family&#58;calibri, sans-serif;">FHFA’s Enterprise fair lendi​ng examination program is conducted by the Office of Fair Lending Oversight (“OFLO”) within the Division of Housing Mission and Goals. </span><span style="font-size&#58;11pt;line-height&#58;107%;font-family&#58;calibri, sans-serif;">The purpose of this advisory bulletin is to provide FHFA’s supervisory expectations and guidance to Fannie Mae and Freddie Mac (the Enterprises) on fair lending compliance. FHFA considers ensuring Enterprise compliance with fair lending laws part of FHFA’s obligation to affirmatively further the purposes of the Fair Housing Act in its program of regulatory and supervisory oversight over the Enterprises and its responsibility to ensure the Enterprises comply with all applicable laws</span>.<a href="#footnote1">[1]</a><span style="font-style&#58;normal;">&#160;</span><br></p><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;text-decoration-line&#58;underline;color&#58;#404040 !important;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;"> <em style="border&#58;0px;font-variant&#58;inherit;font-weight&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;">Background</em></span></p><p>The federal fair lending laws that apply to the Enterprises include&#58;</p><ul><li>Fair Housing Act – 42 U.S.C. 3601 et seq.</li><ul><li>Discriminatory Conduct Under the Fair Housing Act – 24 CFR part 100</li></ul><li>Equal Credit Opportunity Act (ECOA) – 15 U.S.C. 1691 et seq.</li><ul><li>Equal Credit Opportunity Act (Regulation B) – 12 CFR part 1002</li></ul><li>Safety and Soundness Act fair housing provision – 12 U.S.C. 4545</li><ul><li>HUD's Regulation of Fannie Mae and Freddie Mac – 24 CFR part 81, subpart C<br>&#160;</li></ul></ul><p>FHFA's fair lending policy statement generally articulates its policy on fair lending and how it uses its authorities to ensure compliance with fair lending laws.<a href="#footnote2">[2]</a> The Enterprises are subject to several associated fair lending requirements such as requirements to obtain and maintain data relevant to ensuring compliance with fair lending laws, report certain information to FHFA pursuant to FHFA's reporting order on fair lending,<a href="#footnote3">[3]</a> include certain information related to fair lending in their annual housing reports, and comply with fair lending requirements associated with other FHFA processes and requirements. The Enterprises are also subject to Department of Housing and Urban Development (“HUD&quot;) oversight related to fair housing. FHFA and HUD have signed a&#160;memorandum of understanding regarding cooperation and coordination with respect to fair housing and fair lending.<a href="#footnote4" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">[4​]</a> In certain circumstances, FHFA provides notification to HUD and DOJ of information that suggests a violation of the Fair Housing Act or that indicates a possible pattern or practice of discrimination in violation of the Fair Housing Act.<a href="#footnote5" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">[5]</a> The Enterprises play a unique and important role in the mortgage market, and their operations and policies can promote fair lending compliance and further the purposes of fair lending laws and the public interest in the primary mortgage market.</p><p> <em style="text-decoration-line&#58;underline;">Guidance</em><br></p><p>Each Enterprise must fully comply with all applicable fair lending laws in its operations. FHFA expects each Enterprise to maintain a fair lending program that effectively identifies, assesses, monitors, and mitigates fair lending risk and prevents the occurrence of fair lending violations in Enterprise operations. Each Enterprise must fully comply with associated fair lending requirements. FHFA encourages each Enterprise to affirmatively further the purposes of the Fair Housing Act, including promoting fair lending compliance among their business counterparties while furthering their public purposes in the mortgage market and within their own activities relating to housing and urban development.<br></p><h3>​I.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Compliance with Fair Lending Laws</h3><p>The following section provides general guidance with respect to Enterprise compliance with fair lending laws. It is not intended to provide authoritative or definitive statements of fair lending law and is intended to give practical guidance for fair lending compliance with respect to Enterprise operations based on a combined application of all fair lending laws noted in the Background section. The examples provided are general in nature. When determining whether a fair lending violation has occurred, close scrutiny of the facts and law are warranted in all cases. However, even situations where conduct is close to the line of illegality with respect to fair lending raise questions about appropriate risk management and effectiveness of or support for the fair lending program. The fact that an aspect of fair lending law is not covered explicitly in this advisory bulletin should not be construed to mean that FHFA will not enforce that aspect as part of fair lending supervision.<br></p><h4>A.&#160;&#160;&#160;&#160;&#160; Prohibited Bases</h4><p>Prohibited bases<a href="#footnote6">[6]</a> protected from discrimination under the Federal fair lending laws noted above are&#58;</p><ul><li>Race</li><li>Color</li><li>Religion</li><li>National Origin</li><li>Sex, Sexual Orientation, and Gender Identity<a href="#footnote7">[7]</a></li><li>Marital Status</li><li>Age</li><li>Receipt of income derived from any public assistance program</li><li>Exercise, in good faith, of any right under the Consumer Credit Protection Act<a href="#footnote8">[8]</a></li><li>Familial status</li><li>Disability<a href="#footnote9">​[9]</a></li><li>Consideration of the age of a dwelling or age of the neighborhood in a manner that has an unjustified discriminatory effect</li><li>Consideration of the location of a dwelling or the census tract where the dwelling is located in a manner that has an unjustified discriminatory effect<br></li></ul><div> <br> </div><div>An<span style="color&#58;#444444;">&#160;Enterprise may not discriminate on a prohibited basis because of the characteristics of&#58;</span></div><div> <span style="font-style&#58;normal;color&#58;#444444;"> <br></span></div><div><ul><li> <span style="font-style&#58;normal;color&#58;#444444;">An applicant, prospective applicant, or</span><span style="font-style&#58;normal;color&#58;#444444;">&#160;</span><span style="font-style&#58;normal;color&#58;#444444;">borrower</span></li><li> <span style="font-style&#58;normal;color&#58;#444444;"></span> <span style="color&#58;#444444;">A</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">person</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">associated</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">with</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">an</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">applicant,</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">prospective</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">applicant,</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">or</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">borrower</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">(for example, a co-applicant, spouse, business partner, or live-in</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">aide)</span></li><li> <span style="color&#58;#444444;">The present or prospective occupants of the subject property, or</span></li><li> <span style="color&#58;#444444;">The characteristics</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">of</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">the</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">neighborhood</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">or</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">other</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">area</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">where</span><span style="color&#58;#444444;"> the subject </span><span style="color&#58;#444444;">property</span><span style="color&#58;#444444;"> </span><span style="color&#58;#444444;">is located</span><a href="#footnote10">[​10]</a><br></li></ul><div> <br> </div><h4>B.&#160;&#160;&#160;&#160;&#160; Covered Enterprise Activities</h4><p> <span style="font-family&#58;lato, sans-serif;font-weight&#58;900;"></span>Enterprise activities covered by fair lending laws include but are not limited to&#58;</p><ul><li> <span style="font-style&#58;normal;color&#58;#444444;">Purchasing residential&#160;estate loans (includi</span><span style="font-style&#58;normal;color&#58;#444444;">ng setting terms and conditions for purchase);<a href="#footnote11">[11]​</a></span></li> <a href="#footnote11"></a> <li> <a href="#footnote11"> <span style="color&#58;#444444;">Providing loans or financial assistance for residential real estate;</span></a><a href="#footnote12">​[12]</a></li><li>Participating&#160;in credit decisions<a href="#footnote13">[13]</a>​<br></li><li> <span style="color&#58;#444444;">Selling dwellings (such as through REO disposition);</span><a href="#footnote14">​[14]</a><br></li><li> <span style="color&#58;#444444;">Advertising, communications, and statements (including among employees);</span><a href="#footnote15">​[15]</a></li><li> <span style="color&#58;#444444;">Setting standards for appraisals and relying on appraisals in purchasing real estate loans;</span><a href="#footnote16">​[16]</a></li><li> <span style="color&#58;#444444;">Making decisions related to loss mitigation in servicing of real estate loans (including establishing standards for such decisions);</span><a href="#footnote17">​[17]</a></li><li> <span style="color&#58;#444444;">Pooling, packaging, and securitizing residential real estate loans and marketing and selling such securities;</span><a href="#footnote18">​[18]</a></li><li> <span style="color&#58;#444444;">Multifamily purchasing and lending, setting standards for such purchasing and lending, servicing multifamily loans, and pooling or securitization related to multifamily dwellings;</span><a href="#footnote19">​[19]</a></li><li> <span style="color&#58;#444444;">Making housing unavailable;</span><a href="#footnote20">​[20]</a><span style="color&#58;#444444;"> and</span></li><li> <span style="color&#58;#444444;">Models related to these activities</span></li></ul><p> <span style="font-style&#58;normal;color&#58;#444444;"></span></p><p> <span style="color&#58;#444444;"></span></p><p> <span style="color&#58;#444444;">Methods of proving discrimination under these fair lending laws include&#58;</span><br></p><p></p><ul><li> <span style="color&#58;#444444;">Overt or direct evidence of disparate treatment;</span></li><li> <span style="color&#58;#444444;">Comparative or indirect evidence of disparate treatment (including code word or redlining evidence); and</span></li><li> <span style="color&#58;#444444;">Evidence of disparate impact where the Enterprise did not demonstrate a legitimate business justification</span></li></ul> <span style="color&#58;#444444;"></span> <p></p><p> <span style="color&#58;#444444;"></span></p><p> <span style="color&#58;#444444;">Additional types of prohibited discrimination that are relevant in Enterprise fair lending compliance include&#58;</span><br></p><p></p><ul><li> <span style="color&#58;#444444;">Discriminatory statements, steering, and discouragement;</span></li><li> <span style="color&#58;#444444;">Use of discriminatory appraisals;</span><a href="#footnote21">​[21]</a><span style="color&#58;#444444;"> and</span></li><li> <span style="color&#58;#444444;">Discriminatory interference or retaliation</span></li></ul> <span style="color&#58;#444444;"></span> <p></p><p> <span style="color&#58;#444444;"></span></p><p> <span style="color&#58;#444444;"></span></p><h4>C.&#160;&#160;&#160;&#160;&#160; Direct and Vicarious Liability</h4><p>The Fair Housing Act imposes liability for violations through both direct and vicarious liability, including the conduct of employees and agents and third parties in certain circumstances.<a href="#footnote22">[22]</a></p><p>An Enterprise is directly responsible for a fair housing violation resulting from its own conduct, and vicariously responsible for a fair housing violation that results from the conduct of its agents and employees, regardless of whether the Enterprise knew or should have known of the conduct of its agents and employees, consistent with agency law.<a href="#footnote23">[23]</a></p><p> <span style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-style&#58;normal;color&#58;#444444;">An Enterprise is also responsible for failing to take prompt action to correct and end a fair housing violation in certain circumstances, including&#58;</span></p><p></p><ul><li> <span style="color&#58;#444444;">Such a violation by the Enterprise's employee or agent where the Enterprise knew or should have known of the discriminatory conduct; and</span></li><li> <span style="color&#58;#444444;">Such a violation by a third-party, where the Enterprise knew or should have known of the discriminatory conduct and had the power to correct it, depending on the extent of the Enterprise's control or other legal responsibility an Enterprise may have with respect to the third party's conduct.</span><a href="#footnote24">[24]</a><br><br></li></ul><div><h4>D.&#160;&#160;&#160;&#160;&#160; Disparate Treatment</h4><p>Disparate treatment occurs when an Enterprise treats a borrower or property differently based on one of the prohibited bases. It does not require any showing that the treatment was motivated by prejudice or a conscious intention to discriminate beyond the difference in treatment itself. Disparate treatment may more likely occur in the treatment of borrowers or properties that are neither clearly well-qualified nor clearly unqualified or where discretionary processes are present.</p><p>The existence of illegal disparate treatment may be established either by statements revealing that an Enterprise explicitly considered prohibited factors (overt evidence) or by differences in treatment that are not fully explained by legitimate nondiscriminatory factors (comparative evidence). Disparate treatment can also be shown through appropriate statistical analysis.<br></p><h5>1.&#160;&#160;&#160;&#160;&#160;&#160; Overt or Direct Evidence of Disparate Treatment</h5><p>There is overt evidence of discrimination when oral or written statements indicate an Enterprise discriminates on a prohibited basis without need for inference or comparative evidence. <a href="#footnote26">[25]</a></p></div></div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>Example&#58; </em>Suppose an Enterprise asset manager for REO properties decides not to repair or upgrade a property in the capital city of a tribal nation before putting it on the market and justifies the decision because it is near “Indian nation public housing&quot; and “buyers may have a problem with that.&quot; The decision would be a violation because it was made because of the&#160;race of nearby residents of the neighborhood.<a href="#footnote26">[26]</a><br></p></div></div></blockquote><div><div><h5>2.&#160;&#160;&#160;&#160;&#160;&#160; Comparative or Indirect Evidence of Disparate Treatment </h5><p>If an Enterprise has apparently treated similarly situated borrowers or properties differently on the basis of a prohibited factor, it must provide a legitimate non-discriminatory explanation for the difference in treatment. If the Enterprise's explanation is found to be not credible or not applied consistently to similarly situated borrowers or properties, FHFA may find that the entity discriminated.<a href="#footnote27">[27]</a></p> <br> </div></div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>Example&#58;</em> Suppose an Enterprise asset manager for REO properties repairs or upgrades an REO property in a white neighborhood when “only cosmetic&quot; repairs are needed but does not repair an REO property with similar characteristics in a minority neighborhood when “only cosmetic&quot; repairs or upgrades are needed. Suppose also that there is no clear policy on how to handle cosmetic repairs, leaving it to the asset manager's discretion. The decision would be a violation because it treated similarly situated properties in minority and white neighborhoods differently without a credible legitimate non-discriminatory explanation or consistent application.</p></div></div><div><div><p> <em>Example&#58; </em>Suppose an Enterprise determines it will stop doing business with a minority multifamily sponsor due to property maintenance concerns. A white multifamily sponsor presents similar property maintenance concerns, but instead, receives a warning. The Enterprise is unable to provide evidence explaining the difference in treatment between the two sponsors. The decision would be a violation because it treated two similarly situated sponsors of different race/ethnic backgrounds differently without a credible legitimate non-discriminatory explanation or consistent application.</p></div></div></blockquote><div><div><h5>3.&#160;&#160;&#160;&#160;&#160; Redlining<br></h5><p>Redlining is a form of illegal disparate treatment in which an Enterprise treats borrowers or properties differently because of the race, color, national origin, or other prohibited characteristic(s) of the residents of the area without any legitimate business reason. It is often shown by overt evidence, comparative evidence of differences in treatment, and can be supported by maps showing differences in outcomes for borrowers or properties in neighborhoods with different racial characteristics.<a href="#footnote28">[28]</a></p></div></div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>​Example&#58;</em> Suppose an Enterprise provides discretion to multifamily underwriters to accept or reject purchases of multifamily loans. For the past two years, this Enterprise accepted nearly four times as many applications for properties located in white neighborhoods compared with properties located in Black neighborhoods. Maps of Metropolitan Statistical Areas (“MSAs&quot;) depicting accepted and rejected purchases showed avoidance of majority-Black neighborhoods, and where there were accepted loans in majority-Black neighborhoods, they were almost exclusively along the edges of those neighborhoods in close proximity to white neighborhoods. This policy would present fair lending risk and could be a violation because the Enterprise's discretionary policies resulted in redlining.</p></div></div></blockquote><div><h5>4.&#160;&#160;&#160;&#160;&#160;&#160; Code Word Evidence of Disparate Treatment<br></h5><p>Use of certain code words can be evidence of disparate treatment. Whether a code word is evidence of disparate treatment depends on the context, inflection (if spoken), tone of voice (if spoken), custom, and historical usage.<a href="#footnote29">[29]</a> Examples of potential code words include describing minority neighborhoods as “crime-ridden,&quot; “inner city&quot; neighborhoods, or lacking “pride of ownership.&quot;<a href="#footnote30">[30]</a> Code word evidence should be carefully evaluated in its full context before drawing conclusions.</p><h4>E.&#160;&#160;&#160;&#160;&#160; Disparate Impact<br></h4><p>When a neutral policy or practice disproportionately excludes or burdens certain persons or neighborhoods on a prohibited basis, the policy or practice is described as having a &quot;disparate impact.&quot;<br></p><p>The fact that a policy or practice creates a disparity on a prohibited basis is not alone proof of a violation. When a disparate impact is identified, the next step is to determine whether the policy or practice is necessary to achieve one or more substantial, legitimate, nondiscriminatory objectives. Factors that may be relevant to the justification could include cost, profitability, or compliance with legal requirements, among others. Even if a policy or practice that has a disparate impact on a prohibited basis can be justified by a legitimate nondiscriminatory objective, the policy or practice still may be found to be in violation of the Fair Housing Act if an alternative policy or practice could serve the legitimate nondiscriminatory interests by another practice with less discriminatory effect. Evidence of discriminatory intent is not necessary to establish a violation based on disparate impact. Appropriate statistical analysis is usually necessary to evaluate whether a policy creates a disparity and may also be relevant in assessing justification and potential less discriminatory alternatives.<a href="#footnote31">[31]</a> </p><p>A fair lending self-evaluation of a policy or practice, assessing its impact and considering whether potential less discriminatory alternatives would serve the Enterprise's legitimate nondiscriminatory objective, could be part of an effective compliance risk management process, and provide helpful support for concluding that the policy or practice is not a disparate impact violation, especially when evidence indicates that the least discriminatory alternative was adopted.<br></p></div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>Example&#58;</em> Suppose an Enterprise has a special Guide requirement in place for properties in Puerto Rico. This policy has been in place without review for a substantial period of time to determine its effectiveness or need in preventing significant costs or losses. The Enterprise does not subject any other state or territory to this requirement with similar or greater risk. This policy disproportionately affects Latino borrowers as the predominant residents of Puerto Rico. The policy would be a violation because it has a significant disparate impact but lacks clear justification.</p></div></div><div><div><p> <em>Example&#58;</em> Suppose an Enterprise's automated underwriting model includes a factor that leads to significantly lower disproportionate acceptance rates for Black borrowers. The factor improves the model's ability to predict risk, but only marginally so. The model is still a sound, predictive model that meets the Enterprise's business needs without the factor Including the factor would be a violation because it has a significant disparate impact but the model without the factor would be a less discriminatory alternative.<a href="#footnote32">[32]</a></p></div></div><div><div><p> <em>​Example&#58;</em> Suppose an Enterprise's business policy treats properties with a current market value of lower than $100,000 less favorably than properties above that threshold. The policy disproportionately affects more properties in minority neighborhoods than white neighborhoods. The policy has a legitimate business purpose, but other means having less disproportionate impact are available to achieve that purpose. The policy would be a violation because less discriminatory alternative policies are available.<br></p></div></div></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>Example&#58;</em> Suppose an Enterprise underwriting model has a higher cutoff score for certain metro areas. The higher cutoff score is based on an Enterprise's risk assessment of a specific factor for that metro and is unknown to applicants and lenders. The policy has a disproportionate impact on Black and Latino applicants who are rejected by this higher cutoff score at higher rates than white applicants. The Enterprise generally does not take metro-area differences into account in underwriting in other ways. The projected stress losses of not using the higher cutoff score for certain metro areas are minimal. The policy would be a violation because a less-discriminatory alternative exists in the Enterprise's general policy of not taking into account metro-area differences. Prudent fair lending risk management is especially warranted of location-based criteria that have a disparate impact given the Enterprise's obligations under its statutory charter and the Safety and Soundness Act.<a href="#footnote33">[33]</a><br></p> <br> </div></div></blockquote><div><div><h4>F.&#160;&#160;&#160;&#160;&#160; Discriminatory Statements, Steering, and Discouragement</h4><p>Making or publishing advertisements, statements, or notices that indicate a preference, limitation or discrimination on a prohibited basis violate the Fair Housing Act.<a href="#footnote34">[34]</a> Such statements could be made to the public, or to agents or employees if made as part of a decision-making process.<a href="#footnote35">[35]</a> Selecting media or locations for publication or the form of advertisements (such as the repeated absence of non-white models) may also constitute discriminatory advertisements or statements. Whether a statement is a violation does not depend on the intent of the speaker or writer, but on whether a reasonable person would interpret the statement to indicate a preference, limitation, or discrimination.</p><p>Unlawful steering also constitutes a violation of the Fair Housing Act.<a href="#footnote36">[36]</a> Steering involves restricting or attempting to restrict neighborhood choice by word or conduct to perpetuate segregated housing patterns or discourage or obstruct free neighborhood choice. Examples include statements that discourage home purchases on a prohibited basis by exaggerating the drawbacks or failing to note the desirable features of a home or neighborhood and statements that indicate a person would not be comfortable or compatible with existing neighborhood residents. It is also a violation to make oral or written statements to applicants that would discourage on a prohibited basis a reasonable person from making or pursuing an application for credit.<a href="#footnote37">[37]</a> </p></div></div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>​Example&#58;</em> Suppose an Enterprise advertises an REO property on its website and notes its location in a “culturally diverse area.&quot; The residents of the neighborhood where the property is located are nearly all Black. This statement would be a violation because it describes the neighborhood in racial terms. It also could constitute a steering violation because it can reasonably be interpreted to indicate who may or may not be comfortable living near the existing residents of the neighborhood.<br></p></div></div></blockquote><div><div><h4>G.&#160;&#160;&#160;&#160;&#160; Reliance on Discriminatory Property Valuation</h4><p>It is a Fair Housing Act violation to use a property valuation in connection with the sale or financing of a dwelling when an Enterprise knows or reasonably should know that the property valuation improperly takes into consideration a prohibited basis.<a href="#footnote38">[38]</a> Further, the Safety and Soundness Act fair housing provision, implemented by HUD regulations, prohibits an Enterprise from discriminating in any manner in the purchase of a mortgage, including discriminatory property valuation.<a href="#footnote39">[39]</a>&#160;</p></div></div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>Example&#58;</em> Suppose an Enterprise relies on an appraisal that undervalues a property in a minority neighborhood in establishing the loan-to-value ratio for a loan purchase and the appraisal includes comments from the appraiser that the neighborhood is “predominately Hispanic,&quot; the residents have “assimilated their culture heritage&quot; into the neighborhood, and it was now “one spicy neighborhood.&quot; The reliance would be a violation because the Enterprise should have known the appraisal improperly considered a prohibited basis.</p></div></div></blockquote><div><div><h4>H.&#160;&#160;&#160;&#160;&#160;&#160; Retaliation or Interference</h4><p>It is a Fair Housing Act violation to coerce, intimidate, threaten, or interfere with any person for having aided or encouraged any other person in the exercise of fair housing rights.&#160; This includes such conduct toward Enterprise employees or agents that report fair housing violations to an Enterprise or other authorities including FHFA or HUD or who take steps to try to correct such violations.<a href="#footnote40">[40]</a></p></div></div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>​Example&#58;</em> Suppose an Enterprise employee believes an Enterprise operational area is violating fair lending laws and seeks to correct the problem. The employee's manager threatens to reassign him to a different practice group if he does not immediately drop the matter and reverse his assessment. The conduct would be a violation because the employee engaged in protected activity by trying to uphold fair housing rights and the manager's actions interfered with that activity in circumstances indicating it was motivated by the protected activity. &#160;</p></div></div></blockquote><div><div><h4>I.&#160;&#160;&#160;&#160;&#160;&#160; Reasonable Accommodations<br></h4><p>It is a Fair Housing Act violation for an Enterprise to fail to refuse to make reasonable accommodations in rules, policies, practices, or services, when such accommodations may be necessary to afford a person with disabilities equal opportunity to use and enjoy a dwelling unit.<br></p></div></div><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><div><div><p> <em>​Example</em>&#58; Suppose an Enterprise policy offers single-family mortgage underwriting flexibility for legal guardians of adults with developmental disabilities but not legal guardians of adults with traumatic brain injuries. The Fair Housing Act protects persons with disabilities and persons associated with them broadly, and the policy would be a violation because it treats persons associated with persons with traumatic brain injuries less favorably without any apparent justification. The policy would effectively provide a reasonable accommodation to some borrowers protected by the Fair Housing Act but not to others also protected by the Act who are similarly situated.<br></p> <br> </div></div></blockquote><div><div><h4>J.&#160;&#160;&#160;&#160;&#160; Recognized Exceptions<br></h4><p>There are activities that may appear to be violations of fair lending law but are recognized exceptions to the law. If conducted by an Enterprise according to appropriate legal standards, supervisory action would generally not be warranted in these circumstances.<br></p><h5></h5><h5>1.&#160;&#160;&#160;&#160;&#160;&#160; Special Purpose Credit Programs<br></h5><p>The ECOA and Regulation B allow for-profit creditors, including an Enterprise, to establish special-purpose credit programs benefiting applicants who meet certain eligibility requirements. Generally, these programs target an economically disadvantaged class of individuals and are authorized by federal or state law. This could include eligibility requirements involving one or more prohibited bases. The requirements for special purpose credit programs are provided for in Regulation B.<a href="#footnote41">[41]</a> Prudent risk management by an Enterprise offering such a program would also counsel good-faith conformity with the advisory opinion of the Consumer Financial Protection Bureau (CFPB) in implementation of any special purpose credit program, which would provide liability protection under section 706(e) of ECOA.<a href="#footnote42">[42]</a> HUD confirmed in legal guidance that special purpose credit programs complying with ECOA and Regulation B do not violate the Fair Housing Act,<a href="#footnote43">[43]</a> and the Department of Justice has recognized special purpose credit programs in a remedial settlement agreement that includes the Fair Housing Act.<a href="#footnote44">[44]</a><br></p><h5></h5><h5>2.&#160;&#160;&#160;&#160;&#160;&#160; Age-Restricted Properties<br></h5><p>The Fair Housing Act provides for occupant age-restricted housing under certain circumstances when the housing meets conditions under HUD's regulations.<a href="#footnote45">[45]</a> Enterprise programs that allow for purchase of occupant age-restricted properties meeting Fair Housing Act standards are permissible.</p><h5>3.&#160;&#160;&#160;&#160;&#160;&#160; Affirmative Marketing</h5><p>&#160;Affirmative advertising that attempts to reach members of traditionally disadvantaged groups or to reach persons who are least likely to apply for a program is a compliant strategy for advertising and outreach under the Fair Housing Act and the Equal Credit Opportunity Act.<a href="#footnote46">[46]</a> </p><h3>II.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Effective Enterprise Fair Lending Program</h3><p>The following section provides general guidance on FHFA's supervisory expectations for effective Enterprise fair lending programs. Note&#58; this guidance does not affect or supersede other FHFA supervisory guidance on risk management, including compliance risk management and model risk management.<br></p><p>FHFA expects each Enterprise to maintain a fair lending program that effectively identifies, assesses, monitors, and mitigates fair lending risk and prevents the occurrence of fair lending violations in Enterprise operations. Fair lending risk includes violations of fair lending law or conditions that permit the occurrence of fair lending violations, but also issues that subject an Enterprise to reputational harm related to issues such as fair lending and serving the Enterprise's public purposes. In this way, fair lending risk poses both management and operational risks.<br></p><p>The responsibility for an effective fair lending program goes beyond specific personnel responsible for fair lending. An effective fair lending program requires appropriate board and management oversight and support for the fair lending program, and the cooperation from business and operational areas at an Enterprise. Clear expectations that operational areas must take steps necessary to implement controls to mitigate fair lending risk and prevent the occurrence of fair lending violations should be underscored by board and management support. The fair lending program should have board and management support in conducting its work free from interference or retaliation. Cooperation with FHFA and HUD in their fair housing oversight of the Enterprise is also an important element of an effective fair lending program and a supervisory expectation of FHFA.<br></p><h4>A.&#160;&#160;&#160;&#160;&#160; Identifying Fair Lending Risk</h4><p>Identifying fair lending risk involves personnel knowledgeable in fair lending, Enterprise activities and business operations, and recurring risk assessment to identify operational areas where fair lending risk may be present.<br></p><h4>B.&#160;&#160;&#160;&#160;&#160;&#160; Assessing Fair Lending Risk</h4><p>Assessing fair lending<em> </em>risk involves the assessment of operational areas using both qualitative and quantitative methods to accurately assess the amount and nature of the fair lending risk present in an operational area.</p><h4>C.&#160;&#160;&#160;&#160;&#160; Monitoring Fair Lending Risk</h4><p>Monitoring fair lending risk<em> </em>involves having processes in place to monitor the identification and assessment of fair lending risk in an operational area to ensure that the identification and assessment remain up to date and accurate. It can involve both qualitative assessment of changes in the operational area, as well as regular statistical analysis to monitor fair lending risk.</p><h4>D.&#160; &#160; &#160; Mitigating Fair Lending Risk</h4><p>Mitigating fair lending risk involves creating and supporting a control environment around operational areas where fair lending risk is identified and assessed to effectively mitigate the risk. Appropriate fair lending training both at a general level and a specific level to an operational area's specific fair lending risks are an important component of mitigating fair lending risk. Because an Enterprise's responsibility for fair lending extends to agents and, in some cases, other third parties, third party risk management is also an important component of mitigating fair lending risk. Development and assessment of less discriminatory alternatives in key business areas is an important component of mitigating fair lending risk, as well as preventing the occurrence of fair lending violations.<br></p><h4>E.&#160;&#160;&#160;&#160;&#160;&#160; Preventing the Occurrence of Fair Lending Violations</h4><p>Preventing the occurrence of fair lending violations is a core component of an effective fair lending program, and failure to prevent the occurrence of fair lending violations is an indication that fair lending risk has not been appropriately identified, assessed, and mitigated. Such failure can also indicate an operational area has not adequately implemented controls or taken the steps identified by the fair lending program necessary to mitigate fair lending risk—a broader compliance issue for that operational area and an issue implicating board and management support for fair lending and oversight of the operations of the Enterprise.<a href="#footnote47">[47]</a></p><h4>F.&#160;&#160;&#160;&#160;&#160; Cooperation</h4><p>Cooperation is an important element of an effective fair lending program and a supervisory expectation of FHFA for all Enterprise operational areas. Cooperation is expected of both business and operational areas with respect to the Enterprise's internal fair lending program, as well as with FHFA and HUD in conducting fair lending supervision. Cooperation includes the sharing of complete information requested by FHFA or HUD in fair lending supervision. FHFA's policy statement on fair lending encourages self-reporting of potential fair lending violations, and FHFA views self-reporting favorably in exercising its supervisory and enforcement discretion.<a href="#footnote48">[48]</a></p><h3>III.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Fair Lending Risk Factors</h3><p>Certain risk factors are commonly associated with higher fair lending risk and the existence of conditions under which fair lending violations may occur. FHFA's supervisory expectation is that an effective Enterprise fair lending program will take account of these risks and establish appropriate compliance controls when they are present. Failure to appropriately mitigate fair lending risk that occurs because of fair lending risk factors can result in supervisory findings depending on the facts and circumstances.</p><p>Risk factors commonly associated with higher fair lending risk include&#58;<br></p><ul><li>Substantial discretion to make decisions on transactions or properties</li><li>Lack of clear policies, procedures, business rules, or decision criteria</li><li>Use of factors in decision-making that are subjective rather than objective</li><li>Use of geographic factors or different treatment of geographies</li><li>Policies impacting outcomes that lack clear business justification</li><li>Policies impacting outcomes that have not undergone review for effectiveness or need for a significant period of time</li><li>Compensation criteria or other incentives that could lead to disparities in outcomes</li><li>Reliance on third parties without appropriate oversight</li><li>Unreliable or incomplete data</li><li>Consumer complaints</li><li>Employee statements indicating aversion to doing business in certain areas with relatively high concentration of residents sharing a protected class characteristic</li></ul><h3>IV.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Associated Fair Lending Requirements</h3><p>Requirements associated with fair lending not discussed above include requirements related to ECOA notices, data collection and reporting, the Annual Housing Activities Report, credit score approval, new activities and new products, fulfillment of HUD requirements, and FHFA conservatorship requirements. It is an FHFA supervisory expectation that an Enterprise comply with these requirements.<br></p><h4>A.&#160;&#160;&#160;&#160;&#160; ECOA Notice Requirements</h4><p>The Equal Credit Opportunity Act requires notice to applicants when a creditor participating in the credit decision takes certain actions.<a href="#footnote49">[49]</a> This includes certain servicing decisions.<a href="#footnote50">[50]</a> FHFA's supervisory expectation is that an Enterprise will comply with applicable ECOA requirements in the appropriate business lines and operational areas.</p><h4>B.&#160;&#160;&#160;&#160;&#160;&#160; Data Collection and Reporting Requirements</h4><p>Each Enterprise is required by law to collect and report underlying race, ethnicity, and other demographic data used for fair lending monitoring and analysis for various purposes.<a href="#footnote51">[51]</a>&#160; The Enterprises are required to report certain fair lending information to FHFA on a quarterly basis and additional information upon request pursuant to FHFA's Enterprise Compliance and Information Submission with Respect to Fair Lending Order.<a href="#footnote52">[52]</a></p><h4>C.&#160;&#160;&#160;&#160;&#160; Annual Housing Activities Report</h4><p>Each Enterprise, in its Annual Housing Activities Report, is required to assess underwriting standards, business practices, repurchase requirements, pricing, fees, and procedures that affect the purchase of mortgages for low- and moderate-income families, or that may yield disparate results based on the race, color, religion, sex, handicap, familial status, age, or national origin of the borrower, including revisions thereto to promote affordable housing or fair lending.<a href="#footnote53">[53]</a> FHFA expects that an Enterprise will engage in a meaningful analysis of its standards, practices, and requirements that may yield disparate results on prohibited bases and provide transparency to the public into its analysis and the revisions it undertook to promote fair lending.</p><h4>D.&#160;&#160;&#160;&#160;&#160;&#160; Validation and Approval of Credit Score Models</h4><p>The FHFA regulation for validation and approval of credit score models contains requirements related to fair lending. Each application under the process must meet the standards set forth in the regulation related to fair lending compliance and certification for applications, as well as any additional requirements related to fair lending in the credit score solicitation.<a href="#footnote54">[54]</a> Each Enterprise must conduct a fair lending assessment as part of assessment process under the rule.<a href="#footnote55">[55]</a></p><h4>E.&#160;&#160;&#160;&#160;&#160;&#160; Requirements related to HUD and Federal ECOA-enforcing Agencies</h4><p>Each Enterprise is required to undertake certain actions related to fair lending enforcement in the primary mortgage market at the direction of HUD, including providing certain information to HUD regarding lenders and servicers either to assist HUD or Federal agencies enforcing ECOA, and to undertake remedial actions against certain lenders at the direction of HUD.<a href="#footnote56">[56]</a> FHFA expects that an Enterprise will fully cooperate with HUD in any such direction.<br></p><h4>F.&#160;&#160;&#160;&#160;&#160; FHFA Conservatorship Requirements</h4><p>While the Enterprises are in conservatorship, FHFA's conservatorship function for each Enterprise also includes fair lending oversight. FHFA conservatorship directives may include requirements associated with fair lending compliance or intended to further fair lending principles. FHFA expects each Enterprise to comply with these conditions and have available information demonstrating compliance for supervisory review.<br></p><h3>V.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Steps to Promote Fair Housing and Fair Lending</h3><p>The Enterprises play a unique and important role in the mortgage market, and their operations and policies can promote fair housing and fair lending compliance and further the purposes of fair lending laws and the public interest in the primary mortgage market. Historically, the Enterprises have often played a leading role in adopting standards to promote fair lending. FHFA encourages each Enterprise to promote among their business counterparties fair lending compliance and the purposes of fair lending laws while furthering their public purposes in the mortgage market. While such Enterprise actions are not a substitute for ensuring fair lending compliance in an Enterprise's own operations, an effective fair lending program, or compliance with associated fair lending requirements, they demonstrate a commitment to promoting fair lending that FHFA encourages and recognizes. An Enterprise that takes such actions to promote fair lending is encouraged to document them and to provide them to FHFA during FHFA's fair lending oversight, even when not required to by other FHFA requirements.<br></p><p>Additionally, FHFA has established the Equitable Housing Finance Plan framework as conservator, under which an Enterprise is required to engage in ongoing barrier identification, planning, and goal-setting, and to undertake meaningful actions to address those barriers.<a href="#footnote57">[57]</a> Each Enterprise is also required to report progress on such plans annually. FHFA's supervisory expectation is that an Enterprise's efforts under the Equitable Housing Finance Plan will demonstrate full compliance with the framework.</p><h2> ​ <span style="text-decoration&#58;underline;"><strong></strong></span></h2><h2> <span style="text-decoration&#58;underline;"> <strong>Related Guidance and Regulations</strong></span></h2><h3>I.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Federal Fair Lending Laws and Regulations</h3><p>Fair Housing Act – 42 U.S.C. 3601 <em>et seq.</em></p><p>Discriminatory Conduct Under the Fair Housing Act – 24 CFR part 100<br></p><p>Equal Credit Opportunity Act – 15 U.S.C. 1691 <em>et seq.</em></p><p>Equal Credit Opportunity Act (Regulation B) – 12 CFR part 1002<br></p><p>Safety and Soundness Act fair housing provision – 12 U.S.C. 4545<br></p><p>HUD's Regulation of Fannie Mae and Freddie Mac – 24 CFR part 81, subpart C</p><p>&#160;<br></p><h3>II.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; FHFA Fair Lending Guidance and Requirements</h3><p> <a href="/SupervisionRegulation/Rules/Pages/Policy-Statement-on-Fair-Lending.aspx">FHFA Fair Lending Policy Statement</a><br></p><p> <a href="/PolicyProgramsResearch/Policy/Pages/Fair-Lending-Oversight.aspx">FHFA Fair Lending Reporting Orders</a><br></p><p> <a href="/Media/PublicAffairs/PublicAffairsDocuments/FHFA-HUD-MOU_8122021.pdf">FHFA-HUD Memorandum of Understanding Regarding Fair Housing and Fair Lending Coordination </a><br></p><p>&#160;</p><h3>III.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Federal Fair Lending Guidance</h3><p>These resources are issued by Federal agencies related to fair lending matters. They may provide helpful guidance on the application of fair lending laws or exam and investigation procedures and methods in a variety of contexts. While FHFA considers the resources relevant and helpful guidance, the list of resources is not intended to be comprehensive. FHFA carefully considers the full context of the facts and law in any particular matter involving the Enterprises' fair lending compliance.<br></p><h4>A.&#160;&#160;&#160;&#160;&#160; General Federal Fair Lending Guidance</h4><p>General guidance from Federal agencies regarding fair lending can provide helpful guidance in particular matters.<br></p><p> <a href="https&#58;//www.govinfo.gov/content/pkg/FR-1994-04-15/html/94-9214.htm">1994 Policy Statement on Discrimination in Lending</a><br></p><p> <a href="https&#58;//www.federalreserve.gov/boarddocs/caletters/2009/0906/09-06_attachment.pdf">Interagency Fair Lending Exam Procedures</a></p><p> <a href="https&#58;//www.hud.gov/program_offices/administration/hudclips/handbooks/fheo/80241">HUD Fair Housing Act Complaint intake, Investigation, and Conciliation Handbook</a></p><p> <a href="https&#58;//files.consumerfinance.gov/f/201307_cfpb_ecoa_baseline-review-module-fair-lending.pdf">CFPB ECOA Baseline Review Modules</a></p><h4>B.&#160;&#160;&#160;&#160;&#160;&#160; Federal Enforcement Actions and Administrative Decisions</h4><p>Complaints, administrative opinions, consent orders, and similar actions by Federal agencies that enforce fair lending laws can provide helpful guidance on particular matters.<br></p><p> <a href="https&#58;//www.justice.gov/crt/housing-and-civil-enforcement-section-cases-1">DOJ Housing and Civil Enforcement Section Cases</a><br></p><p> <a href="https&#58;//www.hud.gov/program_offices/hearings_appeals/cases/fha">HUD Administrative Law Judge Fair Housing Act Decisions</a></p><p> <a href="https&#58;//orders.fdic.gov/s/">FDIC Enforcement Actions</a></p><p> <a href="https&#58;//www.federalreserve.gov/supervisionreg/enforcementactions.htm">Federal Reserve Enforcement Actions</a></p><p> <a href="https&#58;//apps.occ.gov/EASearch/">Office of the Comptroller of the Currency Enforcement Actions</a><br></p><h4>C.&#160;&#160;&#160;&#160;&#160; Specific Federal Fair Lending Guidance</h4><p>Guidance from Federal agencies regarding specific topics as they relate to fair lending can provide helpful guidance in particular matters.<br></p><h5>1.&#160;&#160;&#160;&#160;&#160;&#160; Accessibility (Design and Construction), Group Homes, Reasonable Accommodation, Service Animals</h5><p> <a href="https&#58;//www.justice.gov/sites/default/files/crt/legacy/2013/05/03/jointstatement_accessibility_4-30-13.pdf">Accessibility (Design and Construction) Requirements for Covered Multifamily Dwellings under the Fair Housing Act</a><br></p><p> <a href="https&#58;//www.hud.gov/sites/dfiles/PA/documents/HUDAsstAnimalNC1-28-2020.pdf">Assessing a Person's Request to Have an Animal as a Reasonable Accommodation Under the Fair Housing Act (HUD FHEO-2020-01)</a></p><p> <a href="https&#58;//www.justice.gov/sites/default/files/crt/legacy/2013/05/03/jointstatement_accessibility_4-30-13.pdf">Reasonable Accommodations under the Fair Housing Act</a></p><p> <a href="https&#58;//www.justice.gov/crt/page/file/909956/download">State and Local Land Use Laws and Practices and the Application of the Fair Housing Act</a></p><h5>2.&#160;&#160;&#160;&#160;&#160;&#160; Advertising, Discriminatory Statements</h5><p> <a href="http&#58;//www.montanafairhousing.org/forms/24CFR_109.pdf">Fair Housing Act Advertising Guidelines (former 24 CFR part 109)</a><br></p><p> <a href="https&#58;//www.hud.gov/sites/documents/DOC_7784.PDF">Memorandum on Guidance Regarding Advertisements Under 804(c) of the Fair Housing Act</a></p><h5>3.&#160;&#160;&#160;&#160;&#160;&#160; Criminal Background Checks</h5><p> <a href="https&#58;//www.hud.gov/sites/documents/HUD_OGCGUIDAPPFHASTANDCR.PDF">Application of Fair Housing Act Standards to the Use of Criminal Records by Providers of Housing and Real Estate-Related Transactions</a><br></p><h5>4.&#160;&#160;&#160;&#160;&#160;&#160; Gender Identity, Sexual Orientation</h5><p> <a href="https&#58;//www.hud.gov/sites/dfiles/PA/documents/HUD_Memo_EO13988.pdf">Implementation of Executive Order 13988 on Enforcement of the Fair Housing Act</a><br></p><h5>5.&#160;&#160;&#160;&#160;&#160;&#160; Limited English Proficiency</h5><p> <a href="https&#58;//www.hud.gov/sites/documents/LEPMEMO091516.PDF">Fair Housing Act Protections for Persons with Limited English Proficiency</a><br></p><h5>6.&#160;&#160;&#160;&#160;&#160;&#160; Low-Income Housing Tax Credit Properties</h5><p> <a href="https&#58;//www.justice.gov/crt/memorandum-understanding-among-department-treasury-department-housing-and-urban-development-an-0">Inter-governmental Agreement on Low-Income Housing Tax Credit Properties</a><br></p><h5>7.&#160;&#160;&#160;&#160;&#160;&#160; Models</h5><p> <a href="https&#58;//ithandbook.ffiec.gov/media/resources/3672/occ-bl-97-24_credit_scor_models.pdf">OCC Bulletin 97-24 (Disparate Treatment and Disparate Impact sections)</a><br></p><h5>8.&#160;&#160;&#160;&#160;&#160;&#160; Occupancy Standards</h5><p> <a href="https&#58;//www.hud.gov/sites/documents/DOC_35681.PDF">Fair Housing Enforcement – Occupancy Standards Notice of Statement of Policy</a><br></p><h5>9.&#160;&#160;&#160;&#160;&#160;&#160; Public Assistance Income</h5><p> <a href="https&#58;//files.consumerfinance.gov/f/201505_cfpb_bulletin-section-8-housing-choice-voucher-homeownership-program.pdf">Section 8 Housing Choice Voucher Homeownership Program (CFPB Bulletin 2015-02)</a><br></p><p> <a href="https&#58;//files.consumerfinance.gov/f/201411_cfpb_bulletin_disability-income.pdf">Social Security Disability Income Verification (CFPB Bulletin 2014-03)</a></p><h5>10.&#160;&#160;&#160;&#160;&#160;&#160; Real Estate Owned Property</h5><p> <a href="https&#58;//www.federalreserve.gov/supervisionreg/srletters/sr1210a1.pdf">Questions and Answers for Federal Reserve-Regulated Institutions Related to the Management of Other Real Estate Owned (OREO) Assets (Fair Housing Act portions)</a><br></p><h5>11.&#160;&#160;&#160;&#160;&#160;&#160; Special Purpose Credit Programs</h5><p> <a href="https&#58;//www.consumerfinance.gov/rules-policy/final-rules/advisory-opinion-on-special-purpose-credit-programs/">Advisory Opinion on Special Purpose Credit Programs</a><br></p><p> <a href="https&#58;//www.hud.gov/sites/dfiles/GC/documents/Special_Purpose_Credit_Program_OGC_guidance_12-6-2021.pdf">Office of General Counsel Guidance on the Fair Housing Act's Treatment of Certain Special Purpose Credit Programs That Are Designed and Implemented in Compliance with the Equal Credit Opportunity Act and Regulation B</a></p><h5>12.&#160;&#160;&#160;&#160;&#160;&#160; Tribal Housing</h5><p> <a href="https&#58;//www.hud.gov/sites/documents/DOC_8818.PDF">Limiting Housing to Indian Families or Tribal Members (HUD Notice PIH 2009-4)</a><br></p><p> <br> </p><h3>IV.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Other Relevant FHFA Guidance</h3><p> <a href="https&#58;//www.ecfr.gov/cgi-bin/text-idx?node=pt12.10.1236&amp;rgn=div5#ap12.10.1236_15.1">Appendix to Part 1236, Prudential Management Operating Standards</a><br></p><p> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Enterprise-Risk-Management-Program.aspx">AB 2020-06 Enterprise Risk Management Program</a></p><p> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Compliance-Risk-Management.aspx">AB 2019-05 Compliance Risk Management</a></p><p> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Oversight-of-Third-Party-Provider-Relationships.aspx">AB 2018-08 Oversight of Third-Party Provider Relationships</a></p><p> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Classifications-of-Adverse-Examination-Findings.aspx">AB 2017-01 Classification of Adverse Examination Findings</a></p><p> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2013-07-Model-Risk-Management-Guidance.aspx">AB 2013-07 Model Risk Management Guidance</a></p><p> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2013-03-FHFA-ENFORCEMENT-POLICY.aspx">AB 2013-03 FHFA Enforcement Policy</a><br></p><div style="font-style&#58;normal;font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;">__________________<br></div></div><p></p></div><p> <span class="MsoFootnoteReference"> <span style="font-size&#58;11pt;line-height&#58;107%;font-family&#58;&quot;times new roman&quot;, serif;"> <span class="MsoFootnoteReference"> <span style="font-size&#58;11pt;line-height&#58;107%;font-family&#58;&quot;times new roman&quot;, serif;"> <a name="footnote1">[1]</a><span style="font-size&#58;11pt;line-height&#58;107%;font-family&#58;&quot;times new roman&quot;, serif;"> 12 U.S.C. 4511(b)(2), 42 U.S.C. 3608(d).​</span><br></span></span></span></span></p><p> <a name="footnote2">[2]&#160;</a><a href="/SupervisionRegulation/Rules/Pages/Policy-Statement-on-Fair-Lending.aspx">https&#58;//www.fhfa.gov/SupervisionRegulation/Rules/Pages/Policy-Statement-on-Fair-Lending.aspx</a> </p><p> <a name="footnote3">[3]&#160;</a><a href="/PolicyProgramsResearch/Policy/Pages/Fair-Lending-Oversight.aspx">https&#58;//www.fhfa.gov/PolicyProgramsResearch/Policy/Pages/Fair-Lending-Oversight.aspx</a><br></p><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;color&#58;#404040 !important;"> <a name="footnote4">[4]</a><span style="font-style&#58;normal;">&#160;</span><a href="/Media/PublicAffairs/PublicAffairsDocuments/FHFA-HUD-MOU_8122021.pdf" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;font-style&#58;normal;">https&#58;//www.fhfa.gov/Media/PublicAffairs/PublicAffairsDocuments/FHFA-HUD-MOU_8122021.pdf</a></p><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;color&#58;#404040 !important;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;"> <span style="border&#58;0px;font-variant&#58;inherit;font-weight&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;"><a name="footnote5">[5]</a>&#160;<span style="font-style&#58;normal;">Executive Order 12892 section 2-204,</span><span style="font-style&#58;normal;">&#160;</span><em style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;font-weight&#58;400;">available at</em><span style="font-style&#58;normal;">&#58;</span><span style="font-style&#58;normal;">&#160;</span><a href="https&#58;//www.govinfo.gov/content/pkg/WCPD-1994-01-24/pdf/WCPD-1994-01-24-Pg110.pdf" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;font-style&#58;normal;">https&#58;//www.govinfo.gov/content/pkg/WCPD-1994-01-24/pdf/WCPD-1994-01-24-Pg110.pdf</a><span style="font-style&#58;normal;">.</span></span></span></p><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;color&#58;#404040 !important;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;"> <em style="border&#58;0px;font-variant&#58;inherit;font-weight&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;"> <span style="font-style&#58;normal;"> <span class="MsoFootnoteReference"> <span style="font-size&#58;11pt;line-height&#58;107%;font-family&#58;&quot;times new roman&quot;, serif;"> <span class="MsoFootnoteReference"> <span style="font-size&#58;11pt;line-height&#58;107%;font-family&#58;&quot;times new roman&quot;, serif;"></span></span></span></span> <span style="font-size&#58;11pt;line-height&#58;107%;font-family&#58;&quot;times new roman&quot;, serif;"> <em> </em><a name="footnote6">[6]</a>&#160;<span style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;"><em>See, e.g.,</em></span>&#160;12 U.S.C. 4545, 15 U.S.C. 1691(a), 42 U.S.C. 3601&#160;<span style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;"><em>et seq.</em></span></span><br></span></em></span></p><p style="font-style&#58;normal;"> <a name="footnote7">[7]</a>&#160;The Department of Housing and Urban Development has determined that the Fair Housing Act's prohibition on sex discrimination includes discrimination on the basis of sexual orientation or gender identity.&#160;<em>See</em>&#160;Implementation of Executive Order 13988 on the Enforcement of the Fair Housing Act,&#160;<em>available at</em>&#58;&#160;<a href="https&#58;//www.hud.gov/sites/dfiles/PA/documents/HUD_Memo_EO13988.pdf">https&#58;//www.hud.gov/sites/dfiles/PA/documents/HUD_Memo_EO13988.pdf</a>. FHFA supervises and enforces the Fair Housing Act consistent with HUD's interpretation.</p><p style="font-style&#58;normal;"> <a name="footnote8">[8]</a>&#160;Interference claims are also cognizable under the Fair Housing Act and its implementing regulation.&#160;<em>See supra&#160;</em>Section H,<em>&#160;</em>Retaliation or Interference;&#160;<em>e.g.</em>,<em>&#160;</em>42 U.S.C. 3617 (“It shall be unlawful to coerce, intimidate, threaten, or interfere with any person in the exercise or enjoyment of, or on account of his having exercised or enjoyed, or on account of his having aided or encouraged any other person in the exercise or enjoyment of, any right granted or protected by section 3603, 3604, 3605, or 3606 of this title.&quot;); 24 CFR 100.400.</p><p style="font-style&#58;normal;"> <a name="footnote9">[9]</a>&#160;The Fair Housing Act uses the term “handicap&quot; instead of the term &quot;disability.&quot; Both terms have the same legal meaning.&#160;<em>See Bragdon v. Abbott</em>, 524 U.S. 624, 631 (1998) (noting that definition of&#160;<span style="font-style&#58;normal;">“disability&quot; in the Americans with Disabilities Act is drawn almost verbatim “from the definition&#160;</span><span style="font-style&#58;normal;">of 'handicap' contained in the Fair Housing Amendments Act of 1988&quot;). This document uses the&#160;</span><span style="font-style&#58;normal;">term &quot;disability,&quot; which is more generally accepted.</span></p><p style="font-style&#58;normal;"> <a name="footnote10">[10]</a>&#160;<em>See, e.g.,</em>&#160;12 CFR 1002, Official Interpretations, comment 2(z)-1; 24 CFR part 100.70(a).</p><p style="font-style&#58;normal;"> <a name="footnote11">[11]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.125.<br></p><p style="font-style&#58;normal;"> <a name="footnote12">[12]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.120.</p><p style="font-style&#58;normal;"> <a name="footnote13">[13]</a>&#160;<em>See, e.g.,</em>&#160;12 CFR 1002, Official Interpretations, comment 2(l)-1.</p><p style="font-style&#58;normal;"> <a name="footnote14">[14]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.60.</p><p style="font-style&#58;normal;"> <a name="footnote15"> [15]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.75, 100.75(c)(2).</p><p style="font-style&#58;normal;"> <a name="footnote16">[16]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.135(d)(1).</p><p style="font-style&#58;normal;"> <a name="footnote17">[17]</a>&#160;See, e.g., 24 CFR 100.130(b)(3);&#160;<em>see also&#160;</em>Federal Reserve CA 09-13 (Dec. 4, 2009) (ECOA guidance for loss mitigation under HAMP program).</p><p style="font-style&#58;normal;"> <a name="footnote18">[18]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.125(b)(2), (3).</p><p style="font-style&#58;normal;"> <a name="footnote19">[19]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.20 (definition of “dwelling&quot;)</p><p style="font-style&#58;normal;"> <a name="footnote20">[20]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.70(b).</p><p style="font-style&#58;normal;"> <a name="footnote21">[21]</a>&#160;<em>See, e.g.</em>, 24 CFR 100.135.<br></p><p style="font-style&#58;normal;"> <a name="footnote22">[22]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.7.</p><p style="font-style&#58;normal;"> <a name="footnote23">[23]</a>&#160;<em>See, e.g.,&#160;</em>24 CFR 100.7(a)(1) and (b).</p><p style="font-style&#58;normal;"> <a name="footnote24">[24]</a>&#160;<em>See, e.g.</em>, 24 CFR 100.7(a)(1)(iii).​<br></p><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;color&#58;#404040 !important;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;"> <em style="border&#58;0px;font-variant&#58;inherit;font-weight&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;"> <span style="font-style&#58;normal;"> <a name="footnote25">[25]</a><span style="font-style&#58;normal;">&#160;</span><em style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;">See, e.g.,</em><span style="font-style&#58;normal;">&#160;1994 Policy Statement on Discrimination in Lending,&#160;</span><em style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;">available at</em><span style="font-style&#58;normal;">&#58;&#160;</span><a href="https&#58;//www.govinfo.gov/content/pkg/FR-1994-04-15/html/94-9214.htm" style="font-style&#58;normal;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;">https&#58;//www.govinfo.gov/content/pkg/FR-1994-04-15/html/94-9214.htm</a><span style="font-style&#58;normal;">; Federal Financial Institutions Examination Council Interagency Fair Lending Exam Procedures,&#160;</span><em style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;">available at</em><span style="font-style&#58;normal;">&#58;&#160;</span><a href="https&#58;//www.ffiec.gov/PDF/fairlend.pdf" style="font-style&#58;normal;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;">https&#58;//www.ffiec.gov/PDF/fairlend.pdf</a><span style="font-style&#58;normal;">.</span><span style="font-style&#58;normal;">&#160;&#160;</span><br></span></em></span></p><p style="border&#58;0px;font-stretch&#58;inherit;font-size&#58;14px;line-height&#58;22px;font-family&#58;&quot;source sans pro&quot;, sans-serif;vertical-align&#58;baseline;padding&#58;0px;background-color&#58;#ffffff;color&#58;#404040 !important;"> <span style="border&#58;0px;font-style&#58;inherit;font-variant&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;font-weight&#58;700 !important;"> <em style="border&#58;0px;font-variant&#58;inherit;font-weight&#58;inherit;font-stretch&#58;inherit;font-size&#58;inherit;line-height&#58;inherit;font-family&#58;inherit;vertical-align&#58;baseline;margin&#58;0px;padding&#58;0px;"> <span style="font-style&#58;normal;"> <a name="footnote26">[26]</a><span style="font-style&#58;normal;">&#160;</span><em style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;">See, e.g.</em><span style="font-style&#58;normal;">, 42 U.S.C. 3604(b), 24 CFR 100.65(b)(2),&#160;</span><em style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;">Nat'l Fair Hous. Alliance v. Bank of Am., N.A.</em><span style="font-style&#58;normal;">, 401 F. Supp. 3d 619, 639 (D.Md. July 18, 2019), Questions and Answers For Federal Reserve-Regulated Institutions Related to the Management of Other Real Estate Owned (OREO) Assets, June 27, 2012,&#160;</span><em style="font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;color&#58;#404040;">available at</em><span style="font-style&#58;normal;">&#58;&#160;</span><a href="https&#58;//www.federalreserve.gov/supervisionreg/srletters/sr1210a1.pdf" style="font-style&#58;normal;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;">https&#58;//www.federalreserve.gov/supervisionreg/srletters/sr1210a1.pdf</a><span style="font-style&#58;normal;">&#160;&#160;&#160;</span><span style="font-style&#58;normal;">(“[I]nstitutions may not avoid or delay the maintenance or repairs of dwellings based on the racial or ethnic composition of the geographic area where they are located.&quot;)</span>​<br></span></em></span></p><div><p style="font-style&#58;normal;"> <a name="footnote27">[27]</a>&#160;<em>See, e.g.,</em>&#160;1994 Policy Statement, Interagency Fair Lending Exam Procedures.</p><p style="font-style&#58;normal;"> <a name="footnote28">[28]</a>&#160;<em>See, e.g.,</em>&#160;1994 Policy Statement on Discrimination in Lending, FFIEC Interagency Fair Lending Exam Procedures.<br></p></div><p style="font-style&#58;normal;"> <a name="footnote29">[29]</a>&#160;<em>Ash v. Tyson Foods, Inc.</em>, 546 U.S. 454, 456 (2006).&#160;<em>See</em>&#160;<em>Avenue 6E Investments, LLC v. City of Yuma</em>, 818 F.3d 493, 506 (9th Cir. 2016) (applying&#160;<em>Ash v. Tyson</em>&#160;standard in a Fair Housing Act case). In general, when analyzing the custom factor, FHFA looks at real estate and mortgage industry standards and practices rather than “local&quot; custom as suggested by the Supreme Court in the employment context.</p><p style="font-style&#58;normal;"> <a name="footnote30">[30]</a>&#160;<em>See, e.g.</em>,<em>&#160;Toledo Fair Hous. Ctr. v. Nationwide Mut. Ins. Co.</em>, 704 N.E.2d 667, 674 (Ct. Com.Pl. Ohio 1997) (noting “pride of ownership&quot; as subjective, discriminatory criteria in insurance underwriting);&#160;Consent Decree in&#160;<em>United States v. Nationwide Mut. Ins. Co.</em>, C2-97-291 (S.D. Ohio Mar. 10, 1997),&#160;<em>available&#160;at&#160;<span style="font-size&#58;11pt;font-family&#58;calibri, sans-serif;"><a href="https&#58;//www.justice.gov/crt/housing-and-civil-enforcement-cases-documents-367">https&#58;//www.justice.gov/crt/housing-and-civil-enforcement-cases-documents-367</a>&#160;</span></em>(banning “pride of ownership&quot; in insurer's underwriting as discriminatory);&#160;<em>Avenue 6E Investments, LLC v. City of Yuma</em>, 818 F.3d at 499&#160;&#160;(noting “pride of ownership&quot; as discriminatory comment in public opposition to affordable housing development);&#160;Uniform Standards of Professional Appraisal Practice, Advisory Opinion 16 (advising appraisers not to use the term “high-crime area&quot; in fair housing advisory opinion from Appraisal Advisory Board)<em>. See Greater New Orleans Fair Hous. Action Ctr. v. St. Bernard Parish</em>, 641 F.Supp.2d 563, 571–72 (E.D.La.2009) (finding references to crime “racially-loaded&quot;);&#160;<em>Atkins v. Robinson</em>, 545 F. Supp. 852, 874 (E.D.Va.1982) (reference to “an abundance of crime&quot; “may be interpreted as [a] veiled reference[ ] to race&quot;);&#160;<em>Pierce v. Metropolitan Liability &amp; Property Ins. Co</em>., 1983 U.S. Dist. LEXIS 11368, *18 (S.D. Ohio 1983) (“This report stated, in part, that the Plaintiffs' house was located in an area where there were a number of vacant or run-down houses, that the area of Plaintiffs' residence was located in a center city with a high frequency of reports of crime and vice. Based upon these facts, one could infer that Plaintiffs' house was located in a predominantly minority area.&quot;);&#160;<em>Barrick Realty, Inc. v. City of Gary</em>, 354 F. Supp. 126 (N.D. Ind. 1973) (“Among the fears of white residents as non-whites begin to move into their neighborhood are rising crime rates, overcrowded schools, declining property values, and a generally lower quality of life.&quot;).<br></p><p style="font-style&#58;normal;"> <a name="footnote31">[31]</a>&#160;<em>See, e.g.,</em>&#160;24 CFR 100.500, 12 CFR 1002.6(a), 1994 Policy Statement on Discrimination in Lending, FFIEC Interagency Fair Lending Exam Procedures.</p><p style="font-style&#58;normal;"> <a name="footnote32">[32]</a>&#160;<em>See, e.g.,</em>&#160;OCC Bulletin 97-24,&#160;<em>available at</em>&#58;&#160;<a href="https&#58;//ithandbook.ffiec.gov/media/resources/3672/occ-bl-97-24_credit_scor_models.pdf">https&#58;//ithandbook.ffiec.gov/media/resources/3672/occ-bl-97-24_credit_scor_models.pdf</a>&#160;(“National banks should avoid including in their credit scoring systems variables that have little influence on the total credit score, yet disadvantage applicants on a prohibited basis to a statistically significant degree.&quot;).&#160;<br></p><p style="font-style&#58;normal;"> <a name="footnote33">[33]</a>&#160;12 U.S.C. 4545(1), 24 CFR 81.42; 12 U.S.C. 1716(4) (Fannie Mae charter); 1451(b)(4) (Freddie Mac charter).</p><p style="font-style&#58;normal;"> <a name="footnote34">[34]</a>&#160;24 CFR 100.75. Affirmative marketing meeting certain requirements may be considered an exception to this prohibition.&#160;<em>See</em>&#160;<em>supra&#160;</em>I.J, Recognized Exceptions..</p><p style="font-style&#58;normal;"> <a name="footnote35">[35]</a>&#160;24 CFR 100.75(c)(2).</p><p style="font-style&#58;normal;"> <a name="footnote36">[36]</a>&#160;24 CFR 100.70.</p><p style="font-style&#58;normal;"> <a name="footnote37">[37]</a>&#160;12 CFR 1002.4(b).<br></p><p style="font-style&#58;normal;"> <a name="footnote38">[38]</a>&#160;24 CFR 100.135(d)(1). The Fair Housing Act does include a limited exemption for appraisers, who may “take into consideration factors other than race, color, religion, national origin, sex, [disability]. . ., or familial status&quot; regardless of other requirements in the statute. 42 U.S.C. 3605(c).</p><p style="font-style&#58;normal;"> <a name="footnote39">[39]</a>&#160;12 U.S.C. 4545(1), (6).</p><p style="font-style&#58;normal;"> <a name="footnote40">[40]</a>&#160;24 CFR 100.400.<br></p><div><p style="font-style&#58;normal;"> <a name="footnote41">[41]</a>&#160;<em>See</em>&#160;12 CFR 1002.8.</p><p style="font-style&#58;normal;"> <a name="footnote42">[42]</a>&#160;See Advisory Opinion on Special Purpose Credit Programs (Dec. 21, 2020), available at&#58;&#160;<a href="https&#58;//www.consumerfinance.gov/rules-policy/final-rules/advisory-opinion-on-special-purpose-credit-programs/">https&#58;//www.consumerfinance.gov/rules-policy/final-rules/advisory-opinion-on-special-purpose-credit-programs/</a>.</p><p style="font-style&#58;normal;"> <a name="footnote43">[43]</a>&#160;See Office of General Counsel Guidance on the Fair Housing Act's Treatment of Certain Special Purpose Credit Programs That Are Designed and Implemented in Compliance with the Equal Credit Opportunity Act and Regulation B (Dec. 6, 2021), available at&#58;&#160;<a href="https&#58;//www.hud.gov/sites/dfiles/GC/documents/Special_Purpose_Credit_Program_OGC_guidance_12-6-2021.pdf">https&#58;//www.hud.gov/sites/dfiles/GC/documents/Special_Purpose_Credit_Program_OGC_guidance_12-6-2021.pdf</a>.</p><p style="font-style&#58;normal;"> <a name="footnote44">[44]</a>&#160;<em>See, e.g.,&#160;</em>Settlement Agreement between the United States of America and Kleinbank, May 8, 2018,&#160;<em>available at</em>&#58;&#160;<a href="https&#58;//www.justice.gov/opa/press-release/file/1060996/download">https&#58;//www.justice.gov/opa/press-release/file/1060996/download</a>.&#160;<br></p><p style="font-style&#58;normal;"> <a name="footnote45">[45]</a>&#160;24 CFR part 100 subpart E.</p><p style="font-style&#58;normal;"> <a name="footnote46">[46]</a>&#160;12 CFR 1002.4 comment 4(b)-2.<br></p><p style="font-style&#58;normal;"> <a name="footnote47">[47]</a>&#160;<em>See, e.g.,</em>&#160;12 CFR part 1236.</p><p style="font-style&#58;normal;"> <a name="footnote48">[48]</a>&#160;<a href="/SupervisionRegulation/Rules/Pages/Policy-Statement-on-Fair-Lending.aspx">https&#58;//www.fhfa.gov/SupervisionRegulation/Rules/Pages/Policy-Statement-on-Fair-Lending.aspx</a>.<br></p><p style="font-style&#58;normal;"> <a name="footnote49">[49]</a>&#160;<em>See, e.g.,</em>&#160;12 CFR 1002.9.</p><p style="font-style&#58;normal;"> <a name="footnote50">[50]</a>&#160;<em>See,</em>&#160;<em>e.g.,</em>&#160;Federal Reserve Consumer Affairs Letter 09-13,&#160;<em>available at</em>&#58;&#160;<a href="https&#58;//www.federalreserve.gov/boarddocs/caletters/2009/0913/caltr0913.htm">https&#58;//www.federalreserve.gov/boarddocs/caletters/2009/0913/caltr0913.htm</a>.<br></p><p style="font-style&#58;normal;"> <a name="footnote51">[51]</a>&#160;12 U.S.C. 1456(e), 1723a(m), 4544(b)(3), 4545(2)-(3), 4561(d)(1). Primary mortgage market lenders are required to collect data for government fair lending monitoring as well under 12 CFR 1002.13 and 12 CFR part 1003. The Enterprises' Uniform Residential Loan Application (URLA) is a vehicle frequently used for the collection of this data across the mortgage industry.</p><p style="font-style&#58;normal;"> <a name="footnote52">[52]</a>&#160;<em>See</em>&#160;In Re&#58; Enterprise Compliance and Information Submission with Respect to Fair Lending, Order No. 2021-OR-FNMA-2 and Order No. 2021-OR-FHLMC-2,<em>&#160;available at&#58;&#160;</em><a href="/PolicyProgramsResearch/Policy/Pages/Fair-Lending-Oversight.aspx">https&#58;//www.fhfa.gov/PolicyProgramsResearch/Policy/Pages/Fair-Lending-Oversight.aspx</a>.</p><p style="font-style&#58;normal;"> <a name="footnote53">[53]</a>&#160;24 CFR 81.43.</p><p style="font-style&#58;normal;"> <a name="footnote54">[54]</a>&#160;12 CFR 1254.6(a), (a)(2).</p><p style="font-style&#58;normal;"> <a name="footnote30">[55]</a>&#160;12 CFR 1254.8(b)(2).<br></p><p style="font-style&#58;normal;"><a name="footnote30">[56]</a> 24 CFR 81.244, 81.46.<br></p><p style="font-style&#58;normal;"> <a name="footnote57">[57]</a><span style="font-style&#58;normal;">&#160;</span><a href="/Media/PublicAffairs/PublicAffairsDocuments/Equitable-Housing-Finance-Plans-RFI.pdf" style="font-style&#58;normal;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;">https&#58;//www.fhfa.gov/Media/PublicAffairs/PublicAffairsDocuments/Equitable-Housing-Finance-Plans-RFI.pdf</a><span style="font-style&#58;normal;">.</span></p></div><div>​<br></div><div><div><table width="100%" class="ms-rteTable-default" cellspacing="0" style="font-style&#58;normal;font-weight&#58;400;font-size&#58;14px;font-family&#58;&quot;source sans pro&quot;, sans-serif;"><tbody><tr><td class="ms-rteTable-default" style="width&#58;776px;"><p>FHFA has statutory responsibility to ensure&#160; that the regulated entities carry out their missions consistently with the provisions and purposes of FHFA's statute and the regulated entities' authorizing statutes and applicable law.&#160; Advisory Bulletins describe&#160;supervisory expectations in&#160;particular areas and are used in FHFA examinations of the regulated entities. For comments or questions pertaining to this Advisory Bulletin, contact James Wylie at&#160;<a href="mailto&#58;James.Wylie@FHFA.gov">James.Wylie@FHFA.gov​</a>&#160;or by phone at 1-202-649-3209.<br></p></td></tr></tbody></table> <br>​<br><br>​<br></div></div>12/20/2021 9:43:06 PMHome / Supervision & Regulation / Advisory Bulletins / Enterprise Fair Lending and Fair Housing Compliance Advisory Bulletin AB 2021-04:  Enterprise Fair Landing and Fair 1503https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special Mention34027FHLB & Fannie Mae & Freddie Mac8/25/2021 4:00:00 AMAB 2021-03​​​​​​​​​​<br> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2021-03&#58;&#160;&#160;FRAMEWORK FOR ADVERSELY CLASSIFYING LOANS, OTHER REAL ESTATE OWNED, AND OTHER ASSETS AND LISTING ASSETS FOR SPECIAL MENTION</strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"> <em> <strong></strong></em></em></p><p style="text-align&#58;justify;"> <span style="text-decoration&#58;underline;"><strong><em></em></strong></span></p><p> <em style="text-decoration&#58;underline;"><strong>Purpose</strong></em><br></p><p>​This Advisory Bulletin (Advisory Bulletin, or guidance) establishes guidelines for adverse and non-adverse classification of assets (assets refer to on-balance sheet or off-balance sheet credit exposures) at Fannie Mae and Freddie Mac (Enterprises) and the Federal Home Loan Banks (FHLB​anks) (collectively, the regulated entities).&#160; These guidelines describe sound practices for managing credit risk at the regulated entities.&#160; This guidance does not apply to investment securities.<a href="#footnote1">[1]</a>&#160; ​This Advisory Bulletin rescinds and replaces <em>Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets For Special Mention</em> (AB 2012-02), and rescinds <em>Clarification of Implementation for Advisory Bulletin 20</em><em>12-02, Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special Mention</em>&#160;(AB 2013-02).<br></p><p>FHFA examiners will evaluate how the regulated entities apply this guidance to their classification practices.</p><p style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></p><p>The purpose of this Advisory Bulletin is to establish a standard and uniform methodology for classifying regulated entity assets based on their credit quality, as well as to affirm the basis for writing off loans classified as Loss.&#160; Asset classification is a critical element in evaluating the risk profile of the regulated entities.&#160; Asset classification also provides a mechanism to validate the regulated entity's internal risk identification processes and establishes a common set of classification definitions to serve as the basis for asset quality metrics.&#160; In addition, this Advisory Bulletin describes procedures for listing assets for Special Mention, which can be an effective method to identify and rectify weaknesses in credit management practices before deterioration occurs.&#160; This guidance considers and is generally consistent with the <em>Uniform Retail Credit Classification and Account Management Policy&#160;&#160;</em>issued by the Federal Financial Institutions Examination Council (FFIEC) in June 2000, which established specific procedures for the adverse classification of residential mortgage loans and other retail loans.<br></p><p>This Advisory Bulletin is intended to be consistent with applicable statutes, regulations, and Generally Accepted Accounting Principles (GAAP).&#160; It does not relieve or diminish the responsibility of a regulated entity's board of directors or management to follow applicable laws, rules, and regulations and to conform to applicable accounting standards, <em>i.e.,</em>&#160;GAAP.&#160; Any conflicts should be resolved to comply with applicable laws and regulations, and to conform to applicable accounting standards.&#160;&#160;<br></p><p style="text-decoration&#58;underline;"> <strong> <em>Guidance</em></strong></p><p> <strong>I. Definitions</strong></p><p>The following definitions apply when considering the adverse classification of assets at the regulated entities.<br></p><p>An asset classified <strong> <em>Substandard </em></strong>is protected inadequately by the current net worth and paying capacity of the obligor, or by the collateral pledged, if any.&#160; Assets so classified must have a well-defined weakness or weaknesses that jeopardize the liquidation of the debt.&#160;&#160;They are characterized by the distinct possibility that the institution will sustain some loss if the deficiencies are not corrected.<br></p><p>An asset classified <strong> <em>Doubtful</em></strong> has all the weaknesses inherent in one classified <strong> <em>Substandard </em></strong>with the added characteristic that the weaknesses make collection or liquidation in full, on the basis of currently existing facts, conditions, and values, highly questionable and improbable.<br></p><p>An asset, or portion thereof, classified <strong> <em>Loss </em></strong>is considered uncollectible, and of such little value that its continuance on the books is not warranted.&#160; This classification does not mean that the asset has absolutely no recovery or salvage value; rather, it is not practical or desirable to defer writing off an essentially worthless asset (or portion thereof), even though partial recovery may occur in the future.<br></p><p></p><p> <strong>II. Adverse Classification of Assets</strong></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em>A. Single-Family Residential Mortgage Loans</em></p></blockquote><p> <strong></strong></p><p> <span style="color&#58;#444444;">Single-family residential mortgage loans, including FHLBank Acquired Member Assets (AMA),</span><a href="#footnote2" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">[2]</a><span style="color&#58;#444444;">&#160;​consist of first mortgages secured by one-to-four family residential real estate.&#160;&#160;Given their size, general homogeneity, and the volume of residential mortgage loans at the Enterprises and the FHLBanks, it may be impractical to individually review specific loans to determine credit quality.&#160; Such loans should be classified using the following guidelines&#58;</span></p><ul><li> <span style="color&#58;#444444;">​Single-family residential real estate loans that are delinquent 90 days or more with loan-to-value ratios greater than 60 percent, should be classified Substandard.</span></li><li> <span style="color&#58;#444444;">A current assessment of value should be made before a single-family residential mortgage loan with a loan-to-value ratio greater than 60 percent is more than 180 days past due.&#160; Any outstanding loan balance in excess of the sum of (i) current fair value of the collateral, less costs to sell, and (ii) any expected proceeds from non-freestanding</span><a href="#footnote3" style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;">[3]</a><span style="color&#58;#444444;">&#160;​credit enhancements should be classified Loss not later than when the loan is 180 days delinquent.&#160; Properly secured residential real estate loans with loan-to-value ratios equal to or less than 60 percent are generally not classified based solely on delinquency status.</span></li><li> <span style="color&#58;#444444;">When a borrower is in bankruptcy, a portion of the loan should be classified as Loss and written down to the fair value of the collateral, less costs to sell, within 60 days of receipt of the notification of filing from the bankruptcy court or within the delinquency time frames specified in this policy, whichever is shorter, unless it can be clearly demonstrated and documented that repayment is likely to occur.&#160; Any loan balance remaining after write-off should be classified Substandard until the borrower demonstrates the ability and willingness to repay for a period of at least six consecutive months.</span></li><li> <span style="color&#58;#444444;">Fraudulent loans, if not covered by any existing representations and warranties in the loan purchase agreement, should be classified as Loss and written off within 90 days of discovery of the fraud, or within the delinquency time frames specified in this adverse classification policy, whichever is shorter.</span></li></ul><p>Regulated entities should write off the portion of the asset adversely classified as Loss except in certain limited circumstances.<a href="#footnote4">[4]</a>&#160; ​A write-off should result in the balance of the asset being reduced by the amount of the loss.&#160; The write-off associated with any Loss classification should be taken by the end of the month in which the applicable time period elapses.<br></p><p>If the regulated entity can clearly document that the delinquent loan is well-secured and in the process of collection, such that collection will occur regardless of delinquency status, then the loan need not be adversely classified.&#160; A well-secured loan is collateralized by a perfected security interest in real property with an estimated fair value, less costs to sell, sufficient to recover the loan balance.&#160; &quot;In the process of collection&quot; means that either a collection effort or legal action is proceeding and is reasonably expected to result in recovery of the loan balance or restoration of the loan to a current status, generally within the next 90 days.&#160; Other exceptions to this adverse classification policy might be for loans that are supported by valid insurance claims, such as federal loan guarantee programs.</p><p>In determining a single-family mortgage loan's delinquency status, the regulated entity should use one of two methods to recognize partial payments.&#160; A payment equivalent to 90 percent or more of the contractual payment may be considered a full payment in computing delinquency.&#160; Alternatively, the regulated entity may aggregate payments and give credit for any partial payment received.&#160; For example, if a regular payment is $300 and the borrower makes payments of only $150 per month for a six-month period, the loan would be $900, or three full months delinquent.&#160; A regulated entity may use either or both methods for loans in its portfolio but may not use both methods simultaneously with a single loan.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em>B. Multifamily Residential Mortgage Loans</em><br></p></blockquote><p>Multifamily residential mortgage loans consist of first mortgages secured by multifamily (5 units or more) residential real estate.&#160; Multifamily real estate loans should not be adversely classified if they are current and are adequately protected by the underlying collateral value and debt service capacity of the property, or a guarantor with demonstrated ability and willingness to perform on the loan.&#160; The following applies to the adverse classification of multifamily residential mortgage loans.</p><p>To determine the appropriate adverse classification, examiners will evaluate the prospects that the loan will be repaid in the normal course of business considering all relevant information.&#160; This includes information on the borrower's creditworthiness and payment record, the nature and degree of protection provided by the cash flow and value of the underlying collateral, and any support provided by financially responsible guarantors.&#160; As a general principle, a performing multifamily real estate loan should not automatically be adversely classified or written off solely because the value of the underlying collateral has declined to an amount that is less than the loan balance.&#160; Similarly, loans to sound borrowers that are refinanced or renewed in accordance with prudent underwriting standards and have not been formally restructured due to troubled condition should not be adversely classified unless well-defined weaknesses exist that jeopardize repayment in the normal course of business.&#160; However, it would be appropriate to adversely classify a performing loan when well-defined weaknesses exist that jeopardize repayment – such as the lack of credible support from reliable sources – using the definitions of Substandard, Doubtful, and Loss set forth above.<br></p><p>Multifamily loans with well-defined weaknesses that subject the regulated entity to the possibility of loss, even if the loan is not seriously delinquent (90 days or more), should be classified Substandard.&#160; For a multifamily loan where there are no available and reliable sources of repayment other than the sale of the underlying real estate collateral, any portion of the loan balance that exceeds the sum of&#160;(i) current fair value of the collateral, less costs to sell, and (ii) any expected proceeds from non-freestanding credit enhancements, should be classified Loss and written off.&#160; The remaining portion of the loan balance that is adequately secured should generally be classified no worse than Substandard.&#160; The amount of the loan balance in excess of the value of the collateral, or portions thereof, should be classified Doubtful, and not Loss, only when the potential for loss may be mitigated by the outcome of certain near-term (generally, within 90 days) pending events.&#160; The Doubtful classification is seldom used and is reserved for situations like those described here.<br></p><p>Regulated entities should write off the portion of the asset adversely classified as Loss except in certain limited circumstances.<a href="#footnote5">[5]</a>&#160;&#160;A write-off should result in the balance of the asset being reduced by the amount of the loss.&#160; The write-off associated with any Loss classification should be taken by the end of the month in which the applicable time period elapses.<br></p><p>When analyzing a formally restructured multifamily loan, the examiner will focus on the borrower's ability to repay the loan in accordance with its modified terms.&#160; Adversely classifying a formally restructured loan would be appropriate, if, after the restructuring, well-defined weaknesses continue to exist that jeopardize the repayment of the loan in accordance with the modified terms.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em>C. Other Real Estate Owned</em></p></blockquote><p>Other Real Estate Owned (REO) should be evaluated for possible adverse classification of Substandard, Doubtful or Loss.&#160; The regulated entity should make periodic (at least annual) reappraisals of the value of the REO.&#160;&#160;In cases when a reliable appraisal is not available, or the appraisal on file is outdated, there are other acceptable methods the regulated entity can use for determining and documenting the value of the REO.&#160; For purposes of classification, any portion of the balance of the REO in excess of fair value, less costs to sell, should be classified Loss.&#160; However, the portion of the held-for-sale REO classified as Loss should not be written off.&#160; Examiners will review all relevant factors in evaluating the regulated entity's adverse classification of the remaining book value of the REO.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;font-weight&#58;400;">D. Other Assets (including Off-Balance Sheet Credit Exposures)</em></p></blockquote><p>Although not specifically enumerated, the regulated entities may have other assets such as accrued interest receivables, property tax and insurance advance receivables, reverse repurchase (repo) receivables, and insurance benefit receivables that warrant adverse classification.&#160; Similarly, off-balance sheet credit exposures such as standby letters of credit and financial guarantees may also warrant adverse classification.&#160; Examiners will review all relevant factors in evaluating the regulated entity's adverse classification of the assets and off-balance sheet credit exposures.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p> <em>E. FHLBank Advances</em></p></blockquote><p>Advances made by the FHLBanks to their members and housing associates generally pose minimal credit risk.&#160; Advances must be fully secured by eligible collateral and, in the case of member advances, are further secured by the borrowing members'&#160;FHLBank capital stock.&#160; In addition, the Federal Home Loan Bank Act grants each FHLBank a priority lien over the liens of other similarly-situated creditors on assets securing member advances.<a href="#footnote6">[6]</a> &#160;However, there may be instances in which collateral adequacy may be uncertain and/or the priority lien may not be relied upon, such as in the case of advances to&#160; housing associates, or where another creditor has a superior lien under applicable law (for example, where the other creditor's lien is perfected, but the FHLBank's lien is not).&#160; In such cases, examiners will evaluate the facts and circumstances to determine whether it is appropriate to adversely classify the advance.</p><p> <strong>III. Non-Adverse Classification of Assets – Special Mention</strong><br></p><p>In some instances, it may be appropriate to list an asset for Special Mention.&#160; The following definition should be used for listing an asset for Special Mention&#58;<br></p><p>A <strong> <em>Special Mention </em></strong>asset has potential weaknesses that deserve management's close attention.&#160; If left uncorrected, these potential weaknesses may result in deterioration of the assets'&#160;repayment prospects or may cause deterioration in the regulated entity's credit position at some future date.&#160; <strong> <em>Special Mention</em></strong> assets are not adversely classified and do not expose a regulated entity to sufficient risk to warrant adverse classification.<br></p><p>Ordinarily, assets listed for Special Mention have deficiencies in the administration of those assets which corrective management action might remedy, for example, weak loan origination and/or weak servicing policies.&#160; While inadequate policies and practices could ultimately result in deterioration of the asset and adverse classification, an asset should not be adversely classified unless it also meets one or more of the adverse classification indicators.&#160; The Special Mention classification serves as an indicator of the quality of the asset portfolio and should be used to provide direction to management on corrective measures that might be taken to strengthen an asset to avoid potential deterioration in the asset's quality.<br></p><p>Mortgages held by the regulated entities that are in loss mitigation, or have been modified and are performing according to the terms of the modification, should be listed as Special Mention but not adversely classified.&#160; The loan no longer needs to be listed as Special Mention after performance according to the terms of the modification has occurred for a period of six consecutive months.&#160; If the loan becomes delinquent after modification, adverse classification could apply according to the previously described criteria.<br></p><p>The level of adversely classified assets or assets listed for Special Mention is an indicator of the regulated entity's asset quality and overall risk profile, and may indicate whether risk management practices regarding underwriting and loan administration are effective.&#160; At a minimum, management and boards of directors of the regulated entities should evaluate risk management and other asset-specific policies and procedures annually to ensure that appropriate risk controls have been implemented.<a href="#footnote7">[7]</a>&#160;&#160;If the level of adversely classified assets suggests deterioration in any asset category, more frequent evaluations of the related policies and procedures are appropriate.&#160; Risk management and other policies will be reviewed by FHFA as part of its supervision program.<br></p><p> <strong> <em>Related Guidance and Regulations</em></strong><br></p><p>FASB ASC 326-20, Financial Instruments - Credit Losses – Measured at Amortized Cost<br></p><p>Uniform Retail Credit Classification and Account Management Policy, FFIEC<br></p><div><p> <a name="footnote1">[1]</a>&#160;Investment securities refer to securities subject to the guidance of the Financial Accounting Standards Board (FASB)'s Accounting Standards Codification (ASC), Topic 320, Investments – Debt Securities, and Subtopic 325-40, Investments – Other - Beneficial Interests in Securitized Financial Assets.<br></p><p> <a name="footnote2">[2]</a>&#160;The AMA regulation (12 CFR part 1268) authorizes FHLBanks to acquire certain assets (principally, conforming residential mortgage loans) from their members and housing associates and prescribes the parameters within which each FHLBank may do so.&#160;<br></p><p> <a name="footnote3">[3]</a>&#160;Examples of non-freestanding credit enhancements include, but are not limited to, private mortgage insurance, the Federal Housing Administration's (FHA) insurance, the Department of Veteran Affairs'&#160;(VA) guarantee, and for the FHLBanks'&#160;Acquired Member Assets (AMA) program, the various types of permissible agreements to share credit losses in purchased loans with the selling members.</p><p> <a name="footnote4">[4]</a>&#160;1) As required to maintain compliance with GAAP.&#160; 2) For loans classified as Held For Sale (HFS) and loans which a regulated entity has elected to account for under the Fair Value Option (FVO), no portion classified as Loss would be written off.<br></p><p> <a name="footnote5">[5]</a>&#160;1) As required to maintain compliance with&#160; GAAP. 2) For loans classified as Held For Sale (HFS) and loans which a regulated entity has elected to account for under the Fair Value Option (FVO), no portion classified as Loss would be written off.<br></p><p> <a name="footnote6">[6]&#160;</a><em>See </em>12 U.S.C. §&#160;1430(e).&#160; Although this provision grants FHLBank liens priority over those of similarly-situated creditors, it does not grant FHLBank liens priority over those of creditors with liens entitled to priority under otherwise applicable law.<br></p><p> <a name="footnote7">[7]</a>&#160;<em>See </em>12 CFR part 1236, Appendix (Prudential Management and Operations Standards).​&#160;&#160;<br></p></div><div> <br> </div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance.&#160; Advisory&#160;bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance.&#160;&#160;Questions about this advisory bulletin should be directed to&#58;&#160; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </p></td></tr></tbody></table> <br>8/25/2021 2:00:32 PMHome / Supervision & Regulation / Advisory Bulletins / Framework for Adversely Classifying Loans, Other Real Estate Owned, and Other Assets and Listing Assets for Special 2927https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Enterprise Risk Management Program31536Fannie Mae & Freddie Mac12/11/2020 5:00:00 AMAB 2020-06<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2020-06&#58; ENTERPRISE RISK MANAGEMENT PROGRAM (<a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB-2020-06_Enterprise-Risk-Management-Program.pdf">PDF</a>)</strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"><em><strong>​Purpose</strong></em></em></p><p>This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance for an effective enterprise risk management (ERM) program to maintain safe and sound operations at Fannie Mae and Freddie Mac (the Enterprises).<a href="#footnote1">[1]</a>&#160; The ERM program establishes the foundation and sets the framework for an Enterprise’s enterprise-wide risk management practices and processes.&#160; Therefore, this AB applies to all risk management activities undertaken by the Enterprises and is consistent with risk area-specific guidance.&#160; The sophistication of the ERM program should be commensurate with the Enterprise’s capital structure, risk appetite, size, complexity, activities, and other appropriate risk-related factors.</p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p>Minimum regulatory standards relating to the responsibilities of each Enterprise's board of directors (board), corporate practices, and corporate governance are prescribed in FHFA's regulation, Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance Matters (Corporate Governance Rule),<em> </em>12 CFR Part 1239.&#160; The Corporate Governance Rule prescribes requirements for an Enterprise to adopt and establish an ERM program that incorporates the Enterprise's risk appetite, aligns the risk appetite with the Enterprise's strategies and objectives, addresses the Enterprise's material risk exposures, and complies with all applicable FHFA regulations and policies.&#160; FHFA's Prudential Management and Operations Standards (PMOS), Appendix to 12 CFR Part 1236, set forth the general responsibilities of the board and senior management, as well as specific responsibilities for management and operations relating to ten enumerated standards, adopted as guidelines.&#160; Standard 1 (Internal Controls and Information Systems) and Standard 8 (Overall Risk Management Processes) highlight the need for the Enterprises to establish risk management practices that identify, assess, control, monitor, and report enterprise-wide risk exposures and the need to have appropriate risk management policies, standards, procedures, controls, and reporting systems.&#160;</p><p>This AB articulates FHFA's supervisory expectations that the Enterprises' ERM programs and processes are designed to be consistent with safety and soundness standards and applicable laws and regulations.&#160; FHFA is issuing this AB to provide an additional level of detail regarding ERM governance and organizational structure, risk appetite and limit-setting, and risk identification, assessment, control, monitoring, and reporting processes.&#160; This guidance reflects FHFA's supervisory expectations for the Enterprises to develop a holistic, enterprise-wide view of the most significant risks to the achievement of strategic and business objectives and a framework for effectively managing risk within bounds of risk appetite and tolerance.&#160; An effective ERM program considers the overlap and interrelationship of risks; however, that does not relieve an Enterprise from its obligation to identify and manage all on- and off-balance sheet risks that may be more localized or contained within specific portfolios and business line-levels. &#160;Additionally, this guidance is informed by FHFA's understanding of current industry standards and enterprise-wide risk management best practices at large, complex financial institutions, incorporating principles and concepts from the Committee of Sponsoring Organizations of the Treadway Commission (COSO),<a href="#footnote2">[2]</a> the Financial Stability Board,<a href="#footnote3">[3]</a> and enterprise-wide risk management guidance issued by the federal banking regulators.<a href="#footnote4">[4]</a></p><p style="text-decoration&#58;underline;"> <em><strong>Guidance</strong></em></p><p>The Enterprises are required to establish and maintain a comprehensive ERM program in accordance with all applicable laws and regulations.&#160; Pursuant to the Corporate Governance Rule, an Enterprise must establish and maintain a comprehensive ERM program that establishes the Enterprise's risk appetite and aligns the risk appetite with the Enterprise's strategies and objectives.<a href="#footnote5">[5]</a>&#160;&#160;The ERM program must include business line-appropriate risk limits consistent with risk appetite and provisions for monitoring compliance with the risk limit structure.<a href="#footnote6">[6]</a>&#160; The ERM program must also have appropriate corporate risk policies and procedures relating to risk management governance, risk oversight infrastructure, processes and systems for identifying and reporting risks, including emerging risks, and timely implementation of corrective actions.<a href="#footnote7">[7]</a>&#160; Corporate risk policies should be supported, as applicable, by appropriate standards defining minimum requirements.&#160; Additionally, the ERM program must include provisions specifying ERM management’s authority and independence to carry out risk management responsibilities and the integration of risk management with Enterprise management’s goals and compensation structure.<a href="#footnote8">[8]</a> </p><p>An Enterprise’s ERM program should have interrelated components that work together to ensure comprehensive and integrated enterprise-wide risk management practices and oversight approaches that are the basis for managing risk in a consistent manner.&#160; The ERM program should include the following components&#58;</p><blockquote dir="ltr" style="margin-right&#58;0px;"><p>I. &#160;ERM Governance and Organizational Structure<br>II. &#160;Risk Appetite Framework<br>III. &#160;ERM Identification, Assessment, Control, and Monitoring Processes <br>IV. &#160;ERM Reporting and Communication Processes</p></blockquote><p> <strong>I.&#160; ERM Governance and Organizational Structure</strong></p><blockquote dir="ltr" style="margin-right&#58;0px;"><p style="margin-left&#58;5%;"> <em>A. Governance Structure </em></p></blockquote><p>The board must establish a board-level risk committee to assist in carrying out its responsibility for enterprise-wide risk management oversight.<a href="#footnote9">[9]</a>&#160; The board risk committee must periodically review and recommend to the full board for approval an appropriate ERM program commensurate with the Enterprise’s capital structure, risk appetite, complexity, activities, size, and other appropriate risk-related factors.<a href="#footnote10">[10]</a>&#160; An enterprise risk committee (ERC) should be established as the central management-level risk oversight committee, chaired by the enterprise-wide Chief Risk Officer (CRO), with membership across business functions and risk areas in order to drive a consistent approach to risk oversight.&#160; ERC responsibilities should include monitoring and overseeing risk across the Enterprise, which includes reviewing, and, as applicable, approving corporate risk policies and supporting standards; reviewing risk appetite and limits for approval by the board; monitoring key risk indicators; and reviewing risk reports and issues escalated by subordinate management-level risk committees.&#160; An Enterprise may establish other management-level committees aligned to specific risk and business-line areas to facilitate enterprise-wide risk oversight duties.&#160; Additional first-line risk committees may also be established to facilitate discussion, reporting, and escalation.&#160; Collectively, these committees support effective risk governance by providing a forum for transparent communication and documentation of risk management <a href="#footnote11">[11]</a>&#160;and control activities across functional lines.&#160; They also provide an organized pathway for risk reporting, escalation, and issue resolution management.&#160; </p><p>The Enterprise’s risk management organizational structure and the assignment of roles and responsibilities should generally comprise a “three lines model” and approach to risk management.&#160; The three lines model forms a strong risk management framework and enables effective enterprise-wide risk management practices.&#160; The three lines are&#58; <a href="#footnote12">[12]</a>&#160;</p><ul><li><p>First-line business units and corporate support functions, which are accountable for identifying, assessing, controlling, monitoring, and reporting on all risks in executing their functions and operating in a sound control environment;&#160;&#160;</p></li><li><p>Second-line risk management, which provides independent risk oversight and effective challenge of the first line business unit and support functions.&#160; Second-line risk management includes the ERM function, along with compliance <a href="#footnote13">[13]</a> and other risk oversight functions, as deemed applicable, that monitor risk-taking activities and assess risks and issues independent of first line business units and functions, but still under the direction and control of senior management; and</p></li><li><p>Third-line internal audit, which provides timely feedback to management and independent assurance to the board audit committee on the effectiveness of the Enterprise’s system of internal controls, risk management, and governance.<a href="#footnote14">[14]</a>&#160; Third-line internal audit maintains objectivity and independence from management.</p></li></ul><blockquote dir="ltr" style="margin-right&#58;0px;"><p style="margin-left&#58;5%;"> <em>B. Roles and Responsibilities </em></p></blockquote><p>The board is ultimately responsible for enterprise-wide risk management oversight.<a href="#footnote15">[15]</a>&#160; The board is responsible for approving and periodically reviewing the ERM program, and having it in effect at all times.<a href="#footnote16">[16]</a>&#160; The board’s responsibility for reviewing and approving the ERM program includes establishing the Enterprise’s risk appetite and overseeing alignment of risk appetite with the Enterprise’s strategies and objectives.<a href="#footnote17">[17]</a>&#160; The board is responsible for approving the Enterprise’s risk appetite addressing material risk exposures and risk limits appropriate to each business line of the Enterprise.<a href="#footnote18">[18]</a>&#160; The board-level risk committee is responsible for reviewing and recommending the ERM program to the board for approval.<a href="#footnote19">[19]</a>&#160; Management is responsible for providing adequate reporting to permit the board to remain sufficiently informed about the nature and level of the Enterprise’s overall risk exposures so that it can understand the possible short- and long-term effects of those exposures on the financial and operational health of the Enterprise, including the possible consequences to earnings, liquidity, and economic value.<a href="#footnote20">[20]</a></p><p>An Enterprise must appoint an enterprise-wide CRO to head the independent ERM function, with responsibilities for implementing and maintaining appropriate enterprise-wide risk management practices for the Enterprise.<a href="#footnote21">[21]</a>&#160; The ERM function is responsible for&#58; (1) establishing appropriate corporate risk policies and supporting standards related to risk management governance, practices, and controls; (2) developing appropriate enterprise-wide processes and systems for identifying and reporting current and emerging risks; (3) developing the risk appetite framework, including establishing and recommending for board approval risk appetite statements and risk limits; (4) establishing business-line appropriate risk limits in line with risk appetite and monitoring compliance with such limits; (5) monitoring the level and trend of risk exposures, testing controls, verifying measures for risk exposures used by the business; and (6) communicating enterprise-wide risk management issues and emerging risks, and monitoring effective and timely issue resolution.&#160; Independence from the risk-taking business units and functional areas is a cornerstone of an effective ERM function.&#160; Although staff performing the ERM function should work closely and coordinate with business unit personnel, they should maintain independence by performing the appropriate oversight and assisting business units with risk analyses.&#160; ERM staff should have the expertise to critically review and the independence to effectively challenge the Enterprise’s business practices and risk-taking activities.</p><p>The CRO must report directly to the board risk committee and to the Chief Executive Officer (CEO) on significant risk exposures and related controls, changes to risk appetite, risk management strategies, results of risk management reviews, and emerging risks.<a href="#footnote22">[22]</a>&#160; The CRO is also responsible for regularly reporting on the Enterprise’s compliance with, and adequacy of, its corporate risk management policies, and must recommend any adjustments as necessary and appropriate.<a href="#footnote23">[23]</a>&#160; The CRO should also report on compliance with, and adequacy of, supporting corporate risk standards.&#160; Individual business or functional risk officers may be designated and delegated risk authority of specific risk areas and functions, as appropriate, to facilitate enterprise-wide risk oversight.&#160; </p><p>First-line business units and corporate support functions are responsible for managing risks that arise in the execution of their functions.&#160; This includes responsibility for identifying, assessing, controlling, monitoring, and reporting risks in alignment with the methodologies as established in corporate risk policies and supporting standards.&#160; First-line functions should be aware of applicable risk appetite limits, thresholds, and indicators and their responsibilities associated with managing risks within appetite and escalation and corrective action in the event of breach.&#160; All divisions, inclusive of second-line and third-line functions, have operating function responsibilities for managing risks that arise in the execution of their activities.&#160; </p><blockquote dir="ltr" style="margin-right&#58;0px;"><p style="margin-left&#58;5%;"> <em>C. Policies, Standards, and Procedures </em></p></blockquote><p>The ERM program must include appropriate corporate risk policies and procedures related to risk management governance and practices.<a href="#footnote24">[24]</a>&#160;&#160; At a minimum, this should include a board-approved ERM policy that establishes an integrated framework for managing risks enterprise-wide, describes the risk governance and risk oversight structure, and specifies roles and responsibilities.&#160; The ERM function should be responsible for developing and overseeing the implementation of the ERM policy and any supporting corporate risk standards describing the minimum criteria for identifying, assessing, controlling, monitoring, and reporting risks, including emerging risks.&#160; First-line functions should have procedures that are designed to implement the expectations for effective risk management as described in the ERM policy and applicable supporting standards.&#160; The Enterprise should also have a corporate risk taxonomy that defines common risk categories and classifies hierarchies of risks.&#160; The Enterprise should also have in place risk type corporate policies, standards, and implementing procedures consistent with its risk taxonomy categorizations.&#160; These risk type policies, standards, and procedures should be consistent with the ERM policy and supporting standards, but further define responsibilities and requirements for managing specific risks.</p><p>An enterprise-wide policy or supporting standard should also define expectations for developing, measuring, monitoring, communicating, and reporting on risk appetite, clearly defining roles and responsibilities of the board, management, and business units for managing risk within risk appetite and taking action when in breach of limits.&#160; While the ERM function is responsible for designing and overseeing the risk appetite framework, input and engagement across the first line business units and corporate functions should occur to develop risk appetite and the supporting metrics and limits that are ultimately reviewed and approved by the board.&#160; A comprehensive set of risk metrics, limits, and associated monitoring activities must be in place to confirm that risk exposures remain within established risk limits.<a href="#footnote25">[25]</a>&#160;&#160; Board risk limits should be supported by defined and actionable thresholds, set at a lower level than the limit to support risk monitoring and prompt management action before the limit is breached.&#160; The Enterprise should have processes defining escalation protocols and expectations for timely corrective action in the event of breach of thresholds and limits.&#160; This includes a mechanism for reporting breaches of risk limits to senior management and the board or board risk committee.<a href="#footnote26">[26]</a>&#160;&#160; </p> <p>The process for policy approval, exception protocols, and delegations of authority should be clear.&#160; Corporate risk policies, supporting standards, and implementing procedures should be reviewed, and updated periodically to consider changes in risk practices and regulatory expectations.&#160; The ERM function should regularly monitor first-line implementation and adherence to the ERM policy and related corporate risk policies and supporting standards.</p><blockquote dir="ltr" style="margin-right&#58;0px;"><p style="margin-left&#58;5%;"> <em>D. Risk Culture</em></p></blockquote><p>The board and senior management should set the “tone at the top” in a manner that fosters an effective risk culture.&#160; Risk culture constitutes the shared values, attitudes, competencies, and behaviors that guide risk decision-making and governance practices throughout the Enterprise.&#160; Risk culture emphasizes risk awareness and communicates the Enterprise’s expectations for risk management and operating within established risk appetite and limits.&#160; An effective risk culture (1) promotes high ethical standards,<a href="#footnote27">[27]</a>&#160; safety and soundness, compliance, and effective risk management; (2) establishes clear responsibility and accountability; (3) emphasizes the importance of internal control; and (4) promotes risk awareness, collaboration, transparency, and proactive discussion at all levels.&#160; Enterprise personnel are expected to be individually accountable, risk aware, perform risk management functions associated with their day-to-day business activities, engage in risk discussions, and escalate risk issues.&#160;&#160;&#160; </p><p>Employees at all levels should receive regular training on corporate risk policies, supporting standards, and implementing procedures to enable effective understanding and management of risks.&#160; Processes should be in place to ensure employees are accountable and aware of their risk management roles and responsibilities.&#160; An effective risk culture is evidenced when the Enterprise’s overall risk appetite is aligned with its mission and business objectives; risk reporting is timely, accurate, and informative; and risk management is integrated with management’s performance goals, objectives, and compensation structure.<a href="#footnote28">[28]</a>&#160; </p><p>The board or board risk committee and senior management should ensure that the CRO and the ERM function have adequate resources, including a well-trained and capable staff.&#160; The CRO should have stature and risk management expertise that is commensurate with the Enterprise’s capital structure, risk appetite, complexity, activities, size, and other appropriate risk-related factors.&#160; The CRO’s performance evaluation and compensation should be structured to provide for an objective and independent assessment of the risks taken by the Enterprise.&#160; </p><p> <strong>II. &#160;Risk Appetite Framework </strong></p><p>The ERM program sets the foundation for identifying, measuring, monitoring, and reporting on individual and aggregate levels of risks in relation to established risk appetite and risk limits.&#160; </p><blockquote dir="ltr" style="margin-right&#58;0px;"><p style="margin-left&#58;5%;"> <em>A.&#160;Risk Appetite’s Relationship to Strategy and Objective Setting </em></p></blockquote><p>Specific requirements for a board-approved strategic business plan are contained in the Corporate Governance Rule, including, among other things, that the strategic business plan must identify current and emerging risks of the Enterprise’s significant existing activities or new activities and include discussion of how the Enterprise plans to address such risks while furthering its public purposes and mission in a safe and sound manner.<a href="#footnote29">[29]</a>&#160; The Corporate Governance Rule also requires that the Enterprise’s risk appetite align with its strategies and business objectives <a href="#footnote30">[30]</a> and that the ERM program align with its risk appetite.<a href="#footnote31">[31]</a> &#160;Risk appetite should be linked to business decision-making, and be considered in light of the Enterprise’s business model.&#160; The CEO or President should be responsible for integrating and aligning the board-approved risk appetite with the Enterprise’s strategic business plan.&#160; The ERM program should be integrated into the processes for developing and reviewing the Enterprise’s strategic business plan to ensure alignment.</p><blockquote dir="ltr" style="margin-right&#58;0px;"><p style="margin-left&#58;5%;"> <em>B.&#160;Risk Appetite Statement and Risk Limits</em></p></blockquote><p>The Corporate Governance Rule defines risk appetite as the aggregate level and types of risk the board of directors and management are willing to assume to achieve the Enterprise’s strategic objectives and business plan, consistent with applicable capital, liquidity, and other regulatory requirements.<a href="#footnote32">[32]</a> &#160;Risk appetite should be grounded in the concept of risk capacity, or the maximum amount of risk the Enterprise can absorb before breaching capital, liquidity, and other constraints.&#160; An Enterprise’s risk appetite should be less than its risk capacity, and its risk profile should not exceed risk appetite.&#160; Conceptually, these elements work together to provide a basis for communicating the Enterprise’s risk profile and ensuring risk exposures are managed within risk appetite.&#160; </p><p>An Enterprise’s risk appetite framework should include a risk appetite statement and related quantitative risk metrics and limits.&#160; The risk appetite statement is an articulation of risk appetite in written form.&#160; It should be easy to communicate and understand, such that the board and senior management obtain a holistic but concise and easy to absorb view of the Enterprise’s aggregate risk position, aggregated within and across each material risk type, and based on forward-looking assumptions.&#160; It should also be easy to communicate and cascade down to the first-line risk taking functions such that it is easy to understand and apply in daily operations.&#160; The overall risk appetite statement may be designed as a series of qualitative summary statements describing the Enterprise’s aggregate risk appetite by material risk type.&#160; The overall statement, and as appropriate summary statements, should articulate clearly the motivations for accepting or avoiding that type of risk and set clear boundaries and expectations to enable risk monitoring and reporting.&#160; The statement should provide context by describing the current business activities that give rise to the risk, the desired risk tolerance, and corresponding mitigating controls and processes in place to allow operation within the stated risk appetite.&#160; The statement should include a scale identifying the risk appetite level for each material risk type in a clear and succinct manner.&#160; For example, each material risk type should be assigned a single-word consistent with the scale that clearly identifies the Enterprise’s posture with regard to that risk type.&#160; </p><p>While the qualitative risk appetite statement expresses a broad view of the risk in written form, the Enterprise should establish a comprehensive set of quantitative risk metrics, limits, thresholds, and indicators that allocate the Enterprise’s risk appetite across material risk types, complement the qualitative statement, and set the overall tone for the Enterprise’s approach to risk taking.&#160; The Enterprise must have board-approved risk limits <a href="#footnote33">[33]</a> and they should be set corresponding to a metric or set of metrics designed to measure a specific risk exposure or portfolio.&#160; The board risk limit should be supported by defined and actionable thresholds, set at a lower level than the limit to support risk monitoring and prompt management action before the limit is breached.&#160; An Enterprise may establish additional cascading, lower-level management limits and notification thresholds, as appropriate, that are designed to prompt management action.&#160; Board-level risk limits are not meant to be exceeded, and therefore an Enterprise should establish a framework for triggering escalations when limits are breached, with defined escalation and reporting protocols.&#160; All risk limits should be regularly monitored so that risk exposures remain within established thresholds.<a href="#footnote34">[34]</a> If a risk type cannot be quantified into limits and thresholds, qualitative measures and early warning indicators should be developed in order to provide an early signal of increasing risk exposures.&#160; These early warning indicators, or other key risk indicators, should be tracked to identify changes to the risk profile and emerging risks.&#160; Regular reassessment and update of early warning indicators should occur based on changing environmental and operational conditions.</p><p>Risk metrics should reflect attributes of the risk exposure being measured, and be consistent with applicable capital, liquidity, and other regulatory requirements.&#160; The limits corresponding to the metric should be set at a level to govern risk-taking within the defined risk appetite.&#160; Risk limits should be specific, measurable, actionable, sensitive to portfolio composition, reportable, and based on forward-looking assumptions.&#160; Risk limits should be expressed relative to earnings, capital, liquidity, or other relevant measures as appropriate.<a href="#footnote35">[35]</a> &#160;In setting risk limits, the Enterprise should consider the interaction between risks within and across business lines, and their correlated or compounding impact on exposures and outcomes.&#160; As appropriate, the Enterprise should utilize scenario analysis and stress testing results to inform the risk appetite limit setting process in order to ensure that the Enterprise understands what events might push it outside its risk appetite or capacity.&#160; Risk limits may require model output to measure and monitor exposures and on-top adjustment subject to model risk management and review as appropriate.<a href="#footnote36">[36]</a>&#160; </p><p>The Enterprise’s risk appetite framework should be re-evaluated on at least an annual basis to ensure it is representative of any changes in risk profile of the Enterprise and continued alignment to strategic and business objectives.&#160; The review should consider significant market and business changes, new business initiatives, risk event occurrences, and other changes to the Enterprise’s risk profile.&#160; Additional ad hoc reviews should occur periodically during the year considering any major changes outside of the ordinary annual cycle.</p><p> <strong>III. &#160;ERM Identification, Assessment, Control, and Monitoring Processes</strong></p><p>The ERM program supports the management of risk exposures through enterprise-wide risk management processes designed to identify, assess, control, monitor, and report risk.</p><p>The Enterprise should have processes in place to identify current, new, top, emerging, and changing risks and methods for evaluating the level of exposure to risk.&#160; Risks should be rated based upon measures of the likelihood of a risk’s occurrence and the severity of its impact.&#160; Forward-looking assessments and scenarios should also be used to identify risks that could pose the most significant impacts to the Enterprise, both during periods of normal economic conditions and periods of stress.&#160; Risk identification and assessment processes should occur regularly and include comprehensive self-assessment of material risks on at least an annual basis.<a href="#footnote37">[37]</a>&#160;&#160; </p><p>The risk assessment process should start with a rating of inherent risk, which represents the level of exposure to a risk absent any management actions to alter the risk’s likelihood or impact.&#160; The design and operating effectiveness of controls in place to mitigate the risk should then be evaluated.&#160; <br>A residual risk rating should result, considering the likelihood and impact of the risk’s occurrence taking into account the application and effectiveness of these mitigating controls.&#160; An additional risk response is then determined considering the residual risk and applicable risk appetite.&#160; Risk responses should result in either accepting, reducing, transferring, pursuing, or avoiding the risk.&#160; Risk acceptance results in no action taken to affect the residual risk.&#160; Risk reduction results in designing and implementing processes to effectively apply additional mitigating controls to reduce residual risk to an acceptable level.&#160; Risk transference results in sharing or transferring a portion of the risk to reduce residual risk to an acceptable level.&#160; Risk pursuance results in action taken that accepts increased risk in order to achieve increased performance.&#160; Risk avoidance results in discontinuing the activities which give rise to the risk all together.&#160; Management’s response decision should be informed by risk appetite and other criteria for determining the acceptability of residual risk to the Enterprise.&#160; </p><p>Risks should be regularly monitored to determine the current status and identify changes or trends in risk exposures over time.&#160; First line functions are responsible for establishing monitoring processes on risks arising from the activities for which they are accountable and managing those risks within the established risk appetite.&#160; The second line ERM function is responsible for overseeing first line risk monitoring activities and monitoring adherence to risk appetite.&#160; Regular monitoring for adherence to the risk appetite and limit structure is necessary to ensure risk exposures remain within established risk limits.<a href="#footnote38">[38]</a>&#160; The overall effectiveness of the Enterprise’s internal control system should be monitored on an ongoing basis and ensure that business units conduct periodic evaluations.&#160; Internal control deficiencies should be reported to senior management and the board on a timely basis and addressed promptly.<a href="#footnote39">[39]</a> </p><p>The Enterprise should have processes in place to identify and define issues that may arise due to internal control gaps or weaknesses or internal process deficiencies.&#160; Issues may be identified through regular risk assessment and monitoring processes, second line oversight activities, internal audit reviews, or FHFA examinations, or management self-identified through the normal course of business.&#160; Issues should be documented, rated to assess priority, assigned ownership, and addressed in a timely manner.&#160; Issue remediation should be regularly monitored and reported to senior management and the board or appropriate board committee.&#160; </p><p> <strong>IV.&#160;ERM Reporting and Communication Processes</strong></p><p>Information generated from risk management processes should be reported in a form that is relevant, accurate, complete, timely, consistent, and comprehensive to enable the execution of sound and informed risk management decisions.<a href="#footnote40">[40]</a>&#160; The Enterprise should have risk management information systems that generate, at an appropriate frequency, the information needed to manage risk.&#160; Risk data should be aggregated to develop a comprehensive and accurate view of the Enterprise’s aggregate risk position and to facilitate integrated enterprise-wide risk reporting.&#160; Systems and processes supporting risk and control reporting should align under a common data architecture to facilitate and support the Enterprise’s risk aggregation and enterprise-wide reporting.&#160; Standardized data that is consistently defined is key when producing enterprise-wide reports that aggregate or combine risk data from different risk management processes.&#160; Consistent and standardized risk data is also important for preparing reports that compare risks over time for meaningful trend analysis.&#160; Risk reports should be defined to ensure that the reports produced are comprehensive, at an appropriate level, and consistent across board, senior management, and business-line levels.&#160; Risks identified at process- and business-line levels should be consistent with and flow up to a portfolio and aggregated enterprise-wide view of risk.</p><p>The ERM function is responsible for providing a comprehensive enterprise-wide view of risk to the board risk committee and appropriate levels of management for consideration and action.&#160; The CRO must report to the board risk committee and to the CEO on significant risk exposures and related controls, adherence to risk appetite and limits, risk management strategies, results of risk management reviews, and emerging risks.<a href="#footnote41">[41]</a>&#160; The CRO must also report any significant issues related to first-line compliance with corporate risk policies and related exceptions, and regularly assess and make recommended adjustments as necessary or appropriate.<a href="#footnote42">[42]</a>&#160; This should include reporting on significant issues related to first-line compliance with related corporate risk standards and exceptions as well.&#160; </p><p>The ERM function should also have processes in place to assess and report on the impact of the board-approved strategic business plan to the Enterprise’s risk profile, and risk events that may adversely impact the achievement of strategic and business operating objectives.&#160; These processes should also include regular assessment and reporting on new business initiatives that significantly impact the Enterprise’s risk profile or require regulatory review and approval.&#160; ERM should provide an aggregated view of enterprise risks and report on key risk indicators that provide a consistent view of top and emerging risk across business lines and processes.&#160; The frequency and variety of reporting should be a function of the risks, changes in the risks, and impact to decisions.</p><p style="text-decoration&#58;underline;"> <strong>Related Guidance and Regulations</strong></p><p>12 CFR Part 1239, Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance Matters.</p><p>12 CFR Part 1236, Appendix, Prudential Management and Operating Standards.</p><p> <em>Contingency Planning for High-Risk or High-Volume Counterparties</em>, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013.</p><p> <em>Model Risk Management Guidance</em>, Federal Housing Finance Agency Advisory Bulletin 2013-07, November 20, 2013.</p><p> <em>Operational Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014.</p><p> <em>Oversight of Single-Family Seller/Servicer Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2014-07, December 1, 2014.</p><p> <em>Fraud Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2015-07, September 29, 2015.</p><p> <em>Data Management and Usage</em>, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016.</p><p> <em>Internal Audit Governance and Function</em>, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016.</p><p> <em>Information Security Management</em>, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017.</p><p> <em>Cloud Computing Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2018-04, August 14, 2018.</p><p> <em>Oversight of Multifamily Seller Servicers</em>, Federal Housing Finance Agency Advisory Bulletin 2018-05, August 14, 2018.</p><p> <em>Liquidity Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2018-06, August 22, 2018.</p><p> <em>Oversight of Third-Party Provider Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2018-08, September 28, 2018.</p><p> <em>Interest Rate Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2018-09, September 28, 2018.</p><p> <em>Business Resiliency Management</em>, Federal Housing Finance Agency Advisory Bulletin 2019-01, May 7, 2019.</p><p> <em>Enterprise Fraud Reporting</em>, Federal Housing Finance Agency Advisory Bulletin 2019-04, September 18, 2019.</p><p> <em>Compliance Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2019-05, October 3, 2019.</p><p> <em>Credit Risk Transfer Analysis and Reporting</em>, Federal Housing Finance Agency Advisory Bulletin 2019-06, November 14, 2019.</p><p>&#160;</p><hr width="25%" align="left" /><p> <a name="footnote1">[1]</a>&#160;Common Securitization Solutions, LLC (CSS) is an “affiliate” of both Fannie Mae and Freddie Mac, as defined in the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended.&#160; 12 USC 4502(1).</p><p> <a name="footnote2">[2]</a>&#160;<em>See</em> Committee of Sponsoring Organizations of the Treadway Commission (COSO), <em>Enterprise Risk Management – Integrating with Strategy and Performance</em> (2017).</p><p> <a name="footnote3"> [3]</a><em>&#160;See, e.g., Financial Stability Board, <em>Principles for an Effective Risk Appetite Framework</em> (2013). </em></p><p> <a name="footnote4">[4]</a> See, e.g., Office of the Comptroller of the Currency, <em>Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration of Regulations</em> (12 CFR Parts 30, 168, and 170) (2014).</p><p> <a name="footnote5">[5]</a>&#160;12 CFR 1239.11(a).</p><p> <a name="footnote6">[6]</a>&#160;12 CFR 1239.11(a)(3).</p><p> <a name="footnote7">[7]</a>&#160;12 CFR 1239.11(a)(3).</p><p> <a name="footnote8">[8]</a>&#160;12 CFR 1239.11(a)(3).</p><p> <a name="footnote9">[9]</a>&#160;12 CFR 1239.11(b).</p><p> <a name="footnote10">[10]</a>&#160;12 CFR 1239.11(b)(2)(i).</p><p> <a name="footnote11">[11]</a>&#160;Regarding documentation of board risk committee meetings, see 12 CFR 1239.11(b)(1)(iv). Documentation of management-level meetings may include memorializing committee discussions in committee minutes and meeting materials.</p><p> <a name="footnote12">[12]</a>&#160;Some organizational units or functions within an Enterprise, such as those that provide legal services to the Enterprise, do not generally fall within a three lines model.</p><p> <a name="footnote13">[13]</a>&#160;See FHFA Advisory Bulletin 2019-05, Compliance Risk Management (Oct. 3, 2019).</p><p> <a name="footnote14">[14]</a>&#160;See FHFA Advisory Bulletin 2016-05, Internal Audit Governance and Function (Oct. 7, 2016).</p><p> <a name="footnote15">[15]</a>&#160;12 CFR 1239.4(c).</p><p> <a name="footnote16">[16]</a>&#160;12 CFR 1239.11(a)(1).</p><p> <a name="footnote17">[17]</a>&#160;12 CFR 1239.11(a)(2).</p><p> <a name="footnote18">[18]</a>&#160;The Corporate Governance Rule defines these as being inclusive of credit, market, liquidity, business, and operational risk. 12 CFR 1239.11(a).</p><p> <a name="footnote19">[19]</a>&#160;12 CFR 1239.11(b)(2)(i).</p><p> <a name="footnote20">[20]</a>&#160;See generally, 12 CFR Part 1236, Appendix (PMOS), Responsibilities of the Board of Directors, Principle 4.</p><p> <a name="footnote21">[21]</a>&#160;12 CFR 1239.11(c).</p><p> <a name="footnote22">[22]</a>&#160;12 CFR 1239.11(c)(5).</p><p> <a name="footnote23">[23]</a>&#160;12 CFR 1239.11(c)(5).</p><p> <a name="footnote24">[24]</a>&#160;12 CFR 1239.11(a)(3).</p><p> <a name="footnote25">[25]</a>&#160;See 12 CFR 1239.11(a) and 12 CFR Part 1236, Appendix (PMOS), Standard 8.</p><p> <a name="footnote26">[26]</a>&#160;See 12 CFR 1236, Appendix (PMOS), Standard 8.</p><p> <a name="footnote27">[27]</a>&#160;An Enterprise must establish and adhere to a written code of conduct and ethics that is reasonably designed to assure that directors, officers, and employees discharge their duties and responsibilities in an objective an impartial manner that promotes honest and ethical conduct, compliance, and accountability. 12 CFR Part 1239.10(a).</p><p> <a name="footnote28">[28]</a>&#160;See 12 CFR Part 1239.11(a)(3) and 12 CFR Part 1236, Appendix (PMOS), Standard 8.</p><p> <a name="footnote29">[29]</a>&#160;12 CFR Part 1239.14(a)(5).</p><p> <a name="footnote30">[30]</a>&#160;12 CFR Part 1239.11(a).</p><p> <a name="footnote31">[31]</a>&#160;12 CFR Part 1239.11(a)(2).</p><p> <a name="footnote32">[32]</a>&#160;12 CFR Part 1239.2.</p><p> <a name="footnote33">[33]</a>&#160;12 CFR Part 1239.11(a)(3)(i). See also 12 CFR Part 1236, Appendix (PMOS), Standard 8.</p><p> <a name="footnote34">[34]</a>&#160;See 12 CFR Part 1239.11(a)(3) and 12 CFR Part 1236, Appendix (PMOS), Standard 8.</p><p> <a name="footnote35">[35]</a>&#160;The PMOS lays out expectations regarding specific risk area risk limit-setting, measurement, and escalation.</p><p> <a name="footnote36">[36]</a>&#160;See FHFA Advisory Bulletin 2013-07, Model Risk Management Guidance (Nov. 20, 2013).</p><p> <a name="footnote37">[37]</a>&#160;12 CFR Part 1236, Appendix (PMOS), Standard 8.</p><p> <a name="footnote38">[38]</a>&#160;12 CFR Part 1236, Appendix (PMOS), Standard 8.</p><p> <a name="footnote39">[39]</a>&#160;12 CFR Part 1236, Appendix (PMOS), Standard 1.</p><p> <a name="footnote40">[40]</a>&#160;See FHFA Advisory Bulletin 2016-04, Data Management and Usage (Sept. 29, 2016). </p><p> <a name="footnote41">[41]</a>&#160;12 CFR Part 1239.11(c)(2) and (5).</p><p> <a name="footnote42">[42]</a>&#160;12 CFR Part 1239.11(c)(5).</p><p> <em>&#160; </em></p> <em> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities. Questions about this advisory bulletin should be directed to <a href="mailto&#58;SupervisionPolicy@FHFA.gov">SupervisionPolicy@FHFA.gov</a>. </p></td></tr></tbody></table> <p>&#160;</p></em>12/11/2020 5:14:30 PMHome / Supervision & Regulation / Advisory Bulletins / Enterprise Risk Management Program Advisory Bulletin AB 2020-06: ENTERPRISE RISK MANAGEMENT PROGRAM (PDF 5437https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Enterprise Cybersecurity Incident Reporting27878Fannie Mae & Freddie Mac8/21/2020 4:00:00 AMAB 2020-05<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2020-05&#58; ENTERPRISE CYBERSECURITY INCIDENT REPORTING</strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"> <em> <strong>​Purpose</strong></em></em></p><p>This advisory bulletin (AB) communicates Federal Housing Finance Agency's (FHFA) supervisory expectations for cybersecurity incident reporting to maintain safe and sound operations at Fannie Mae and Freddie Mac (the Enterprises). <a href="#footnote1"> <span style="text-decoration&#58;underline;">[1]</span></a></p><p style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></p><p>As part of an effective information security management program, the Enterprises need to be able to effectively respond to cybersecurity events that could affect the confidentiality, availability, and integrity of information. &#160;The continuous monitoring of systems to detect anomalies as well as successful and attempted attacks, including unauthorized activity on or intrusion into information systems, is an activity that underlies robust incident response.</p><p>Prioritizing the handling of cybersecurity incidents is a critical factor in the success or failure of an incident response process. By prioritizing incidents, Enterprises identify situations that are of greater severity and demand immediate attention.&#160; The Enterprises should communicate to FHFA incidents that affect or have the potential to affect the security of their information.&#160; This AB informs the Enterprises of supervisory expectations for assessing the Enterprise reports on cybersecurity incident data sent to FHFA.</p><p style="text-decoration&#58;underline;"> <em> <strong>Guidance</strong></em></p><p>This guidance explains the need for cybersecurity incident information that is supplemental to what is otherwise regularly, consistently, and systematically collected for use in supervisory oversight.&#160; The information reported in line with this guidance is adjunct to other more formal reports, but it is important for both the Enterprises and FHFA to compile and use the information specifically in evaluating cybersecurity incident responses and readiness to confront cybersecurity threats to safety and soundness.</p><p> <em>Definition of Cybersecurity Incident</em></p><p>For the purpose of the AB, FHFA defines a reportable cybersecurity incident as an occurrence that&#58;</p><ul><li>occurs at the Enterprise or at a third party that actually or potentially jeopardizes the confidentiality, integrity, or availability of an Enterprise system or Enterprise information the system processes, stores, or transmits, or;</li><li>constitutes a violation or imminent threat of violation of the Enterprise's security policies, security procedures, or acceptable use policies. <a href="#footnote2"> <span style="text-decoration&#58;underline;">[2]</span></a></li></ul><p> <em>Incident Severity Scoring</em></p><p>Effective reporting of cybersecurity incidents begins with the Enterprises determining a cybersecurity incident's severity by evaluating the confirmed impacts as well as potential impacts of the incident that they anticipate are likely to occur. Outlined below is an Incident Severity Score framework that will be consistent in meaning across both Enterprises and will facilitate the Enterprises' accurately advising FHFA of the seriousness of each incident. <a href="#footnote3"> <span style="text-decoration&#58;underline;">[3]</span></a>&#160; As analysis of a cybersecurity incident progresses, the Enterprises should continuously re-evaluate the severity level for each incident and report to FHFA as described below.</p><p> <strong>Severity 1&#58; Major.</strong>&#160; Cybersecurity incidents that interrupt one or more mission critical functions or result in the inability to achieve one or more mission critical objectives.&#160; Major Incidents are likely to have a substantial negative impact on customers and/or counterparties and may pose reputational risk to the Enterprise.&#160; Cybersecurity incidents that include personally identifiable information may also be considered a Major Incident.&#160; </p><p> <strong>Severity 2&#58; Significant.</strong>&#160; Cybersecurity incidents that interrupt or result in a degradation to one or more mission critical functions or core services.&#160; Significant Incidents may have a negative impact on customers and/or counterparties and may pose reputational risk to the Enterprise.&#160; Cybersecurity incidents that include substantial non-public information may also be considered Significant Incidents.</p><p> <strong>Severity 3&#58; Moderate.</strong>&#160; Cybersecurity incidents that interrupt or result in a degradation to one or more production systems or applications.&#160; Moderate Incidents may have a negative impact on customers and/or counterparties but are unlikely to pose substantial reputational risk to the Enterprise.&#160; Cybersecurity incidents that include a moderate amount of non-public information may also be considered Moderate Incidents.</p><p> <strong>Severity 4&#58; Minor.</strong> &#160;Cybersecurity incidents that result in a degradation to a production system or application or an outage of multiple non-production systems or applications.&#160; Minor Incidents are unlikely to have negative impact on customers and/or counterparties and pose no reputational risk to the Enterprise.&#160; Cybersecurity incidents that include minor amounts of data loss may also be considered.&#160; Minor Incidents may result in minor amounts of data loss that cannot be retrieved or deleted.</p><p> <strong>Severity 5&#58; Insignificant.</strong>&#160; Cybersecurity incidents that interrupt or result in an outage of a single non-production system or application or the degradation of one or more non-production systems or applications.&#160; Insignificant Incidents may also include a violation of security policies, security procedures, or acceptable use policies that has no impact on systems and applications.&#160; Insignificant Incidents are unlikely to have a negative impact on customers and/or counterparties and pose no reputational risk to the Enterprise.&#160; Cybersecurity incidents that include minor amounts of data loss that can be retrieved may also be considered Insignificant Incidents.</p><p> <em>Timely Reporting&#160;</em></p><p>Timely reporting from each Enterprise is critical to effective supervision.</p><p> <strong>Immediate Notification</strong></p><p>FHFA expects the Enterprises to prioritize responding to, and taking corrective action for, the identified incident or potential threat and to notify and provide a description of any Major Incident as soon as possible to the Examiner-in-Charge (EIC) for the Enterprise.&#160; The notification can occur via email, telephone, or in person so long as the Enterprise confirms receipt of the notification.&#160; In addition to contacting the EIC, the Enterprise should send a report describing the Major Incident to FHFA through secure methods established by FHFA.&#160; The Enterprise should continue to provide updates on any Major Incident throughout the incident response and remediation to the EIC or his/her designee.</p><p> <strong>24-hour Notification</strong></p><p>FHFA expects the Enterprises to notify and report a description of any Significant Incident within 24 hours of determination.&#160; The notice and report should be made to the EIC for the Enterprise.&#160; The notification can occur via email, telephone, or in person so long as the Enterprise confirms receipt of the notification.&#160; In addition to contacting the EIC, a report of any Significant Incident should be sent electronically through secure methods established by FHFA.&#160; The Enterprise should continue to provide updates on any Significant Incident throughout the incident response and remediation to the EIC or his/her designee.&#160;</p><p> <strong>Monthly Cybersecurity Incident Report</strong></p><p>Consistency of incident reporting is necessary to assess the effectiveness of each Enterprise's incident response process.&#160; Threats may occur simultaneously, sequentially, or randomly and FHFA needs to be sufficiently informed of incidents to evaluate effective detection and responses across the Enterprises. By submitting a monthly cybersecurity incident report to FHFA, the Enterprises and FHFA will be better prepared and aware of security challenges that could compromise safety and soundness.&#160; FHFA will provide a template describing the format as well as the standard content with corresponding definitions and examples that should be included in the monthly cybersecurity incident report.</p><p>Each Enterprise should submit the monthly cybersecurity incident report within fifteen (15) calendar days after the end of each month, even if there are no reportable cybersecurity incidents during the reporting period.&#160; The report should be sent electronically through secure methods established by FHFA.</p><p style="text-decoration&#58;underline;"> <strong><em>Effective Date</em></strong></p><p>This AB becomes effective on October 1, 2020</p><p style="text-decoration&#58;underline;"> <strong><em>Related Guidance</em></strong></p><p style="text-align&#58;left;">12 CFR Part 1236 Prudential Management and Operations Standards, Appendix.&#160;<em>&#160;</em></p><p style="text-align&#58;left;"> <em>Oversight of Third-Party Provider Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2018-08, September 28, 2018.&#160;</p><p style="text-align&#58;left;"> <em>Cloud Computing Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2018-04, August 14, 2018.&#160;</p><p style="text-align&#58;left;"> <em>Information Security Management</em>, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017.&#160;</p><p style="text-align&#58;left;"> <em>Internal Audit Governance and Function</em>, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016.&#160;</p><p style="text-align&#58;left;"> <em>Data Management and Usage</em>, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016.&#160;</p><p style="text-align&#58;left;"> <em>Operational Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014.<br>&#160;</p><hr width="25%" align="left" /><p> <a name="footnote1"> <span style="text-decoration&#58;underline;">[1]</span></a>&#160;Common Securitization Solutions, LLC (CSS) is an “affiliate&quot; of both Fannie Mae and Freddie Mac, as defined in the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, as amended.&#160; 12 USC 4502(1).</p><p> <a name="footnote2"> <span style="text-decoration&#58;underline;">[2]</span></a>&#160;This definition is adapted from the National Institute of Standards and Technology. </p><p> <a name="footnote3"><span style="text-decoration&#58;underline;">[3]</span></a><em>&#160;</em>The Incident Scoring is not meant to replace severity or priority scoring established internally by the Enterprises.</p><p> <em>&#160; </em></p> <em> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities. Questions about this advisory bulletin should be directed to <a href="mailto&#58;SupervisionPolicy@FHFA.gov">SupervisionPolicy@FHFA.gov</a>. </p></td></tr></tbody></table> <p>&#160;</p></em>8/24/2020 5:00:30 PMHome / Supervision & Regulation / Advisory Bulletins / Enterprise Cybersecurity Incident Reporting Advisory Bulletin AB 2020-05: ENTERPRISE CYBERSECURITY INCIDENT REPORTING 4258https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Financial Reporting and Disclosure and External Audit28435All8/20/2020 4:00:00 AMAB 2020-04<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2020-04&#58; FINANCIAL REPORTING AND DISCLOSURE AND EXTERNAL AUDIT</strong></p></td></tr></tbody></table><p> <em style="text-decoration&#58;underline;"><em><strong>​Purpose</strong></em></em></p><p>This Advisory Bulletin (AB) articulates the Federal Housing Finance Agency's (FHFA) supervisory expectations for oversight and management of financial reporting and disclosures and of the external audit function. </p><p>This AB applies to Fannie Mae and Freddie Mac (the Enterprises), the Federal Home Loan Banks (FHLBanks), and the FHLBanks' Office of Finance (OF) (collectively, the regulated entities) <a href="#footnote1"> <span style="text-decoration&#58;underline;">[1]</span></a> and is effective immediately. &#160;This AB rescinds, and along with AB 2016-05 Internal Audit Governance and Function, replaces FHFA's Examination for Accounting Practices guidance.&#160; </p><p>Transparent financial reporting and disclosures, subject to strong internal control over financial reporting (ICFR) and confirmed by a high-quality external audit, help ensure that published financial information is reliable and free from material misstatements for all stakeholders.&#160; &#160;&#160;Timely, accurate, complete, and meaningful reporting and disclosures regarding financial condition and performance support FHFA's risk-focused supervision of the regulated entities.&#160; For FHFA as a prudential regulator, such reporting facilitates effective risk assessments, off-site monitoring, and examination planning. &#160;Financial condition and performance metrics for capital adequacy, liquidity, earnings adequacy, and asset quality are based on information in these reports.</p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p>The Office of Federal Housing Enterprise Oversight (OFHEO) issued the Examination for Accounting Practices guidance to the Enterprises in 2006. &#160;FHFA revised and updated that guidance in 2009 and expanded its application to the FHLBanks. &#160;With the issuance of this financial reporting and external audit guidance and AB 2016-05 Internal Audit Governance and Function, FHFA has updated and revised the 2009 guidance to reflect our regulatory experience and that of other financial regulators, and to more clearly communicate FHFA's supervisory expectations in these areas to the regulated entities.&#160;</p><p>Regarding financial reporting and external audit, the regulated entities are governed by different, yet generally concordant, FHFA and/or Securities and Exchange Commission (SEC) regulations and auditing standards. <a href="#footnote2"> <span style="text-decoration&#58;underline;">[2]</span></a>&#160; Notably&#58;&#160;</p><ul><li>The Enterprises are SEC registrants. Their external audits are subject to Public Company Accounting Oversight Board (PCAOB) auditing standards.&#160; Under FHFA regulations, the Enterprises are subject to specified New York Stock Exchange (NYSE) requirements.</li><li>The FHLBanks are SEC registrants.&#160; Their external audits are subject to PCAOB auditing standards and under FHFA regulations, are subject to Generally Accepted Auditing Standards (GAAS) and Generally Accepted Government Auditing Standards (GAGAS). <a href="#footnote3"> <span style="text-decoration&#58;underline;">[3]</span></a>&#160; Applicable FHFA rules further detail specific requirements for audit committees regarding external audit and financial reporting oversight.</li><li>The OF is not an SEC registrant.&#160; Under FHFA regulations, FHLBank System combined financial reports are subject to GAAS and GAGAS. <a href="#footnote4"> <span style="text-decoration&#58;underline;">[4]</span></a>&#160; The regulations also address oversight of the external auditor for the combined financial reports. <a href="#footnote5"> <span style="text-decoration&#58;underline;">[5]</span></a></li></ul><p>Each Enterprise and FHLBank is covered by FHFA's Prudential Management and Operations Standards (PMOS) and each regulated entity reports financial information in conformance with U.S. Generally Accepted Accounting Principles (GAAP). <a href="#footnote6"> <span style="text-decoration&#58;underline;">[6]</span></a>&#160; Enterprise and FHLBank management assess the effectiveness of their respective entity's ICFR based on the criteria in the Internal Control-Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).&#160;</p><p>The referenced FHFA, SEC, and NYSE rules and regulations, as applicable, address a wide range of audit committee governance topics including&#58;&#160;</p><ul><li>Committee composition and members' qualifications, including financial literacy and expertise, and independence requirements;</li><li>Committee oversight of the integrity of financial statements and earnings releases and compliance with legal and regulatory requirements;</li><li>Committee charter content and minimum frequency of reviews and re-approval;</li><li>Boards' responsibility to provide the audit committee sufficient funding for payments to the external auditor and to advisors/counsel that the committee retains as it deems necessary to carry out its duties;</li><li>Committee duties and responsibilities regarding external auditor oversight including&#58;</li><ul><li>Responsibility for selecting the auditor, evaluating the auditor's performance, replacing the auditor if needed, and ensuring that the auditor is solely responsible to the committee;</li><li>Ensuring that the external auditor submits a formal written statement regarding relationships and services that may adversely affect independence and discussing any disclosed relationships that may impact objectivity and independence with the external auditor;</li><li>Reviewing the auditor's internal quality control procedures;</li><li>Meeting with, including in executive sessions, auditors and management;</li><li>Reviewing and approving procedures for handling complaints received by the regulated entity regarding accounting, internal accounting controls, or auditing matters; and confidential, anonymous submission by regulated entity staff of concerns regarding questionable accounting or auditing matters; and</li><li>Providing for an annual committee self-evaluation or external review.</li></ul></ul><p>The guidance in this AB is intended to be consistent with applicable statutes, regulations, GAAP, and auditing standards.&#160; In some instances, substantive elements of guidance herein for all regulated entities may be addressed by FHFA regulation, SEC regulation, or applicable accounting or auditing standards for one or more regulated entities.&#160; This guidance does not relieve or diminish the responsibility of a regulated entity's board of directors or management to follow applicable laws, rules, and regulations and to conform to applicable accounting standards.&#160; Any perceived conflicts should be resolved so as to comply with applicable laws and regulations, and in conformance with accounting standards.</p><p style="text-decoration&#58;underline;"> <em><strong>Guidance</strong></em></p><p> <strong>I. Financial Reporting and Disclosure Oversight and Management</strong></p><p>Regulated entities' boards of directors and senior managers are responsible, within their respective roles as described in FHFA's corporate governance regulation and prudential standards, for the institution operating in a safe and sound manner. &#160;Entities should maintain effective accounting and reporting systems and ICFR to produce reliable and accurate financial reports and meaningful disclosures.&#160;</p><p>To address accounting, financial reporting, and disclosure, audit committees should&#58;&#160;</p><ul><li>Review and discuss annual audited financial statements, quarterly SEC filings or equivalent financial statements, and earnings releases;</li><li>Meet regularly with management and external auditors and hold regular executive sessions with the external auditor;</li><li>Oversee that management establishes, implements, and maintains accounting policies and procedures that comply with applicable laws, rules, and regulations and conform to applicable guidance, including GAAP and other relevant reporting and disclosure standards;</li><li>Ensure that the regulated entity has policies in place to notify FHFA of any accounting treatments or policies identified as posing significant legal, reputation, or safety and soundness risk, with a focus on accounting treatments or policies that do not employ GAAP or preferred methods; and</li><li>Direct management to provide the committee with adequate information and reports to carry out its duties and responsibilities and challenge management and auditors where appropriate.&#160;</li></ul><p> <em>A. Assessing Materiality&#160;</em></p><p>An entity's audit committee should review and clearly understand how management and the external auditor assess financial statement materiality. &#160;For public financial disclosures, FHFA's regulated entities should follow materiality guidelines established by the SEC and other U.S. standard-setters and regulators as appropriate.&#160; FHFA is informed by the SEC's statements regarding materiality and generally considers them as part of its ongoing review of regulated entities' accounting practices and controls.&#160;</p><p>A regulated entity's determination that an accounting matter is material or presents a materiality issue may be a factor in FHFA's oversight of a regulated entity. &#160;An item not being deemed to be “material&quot; or not having “materiality&quot; for financial reporting purposes, however, would not necessarily preclude FHFA from having supervisory concerns about the item. &#160;Further, FHLBanks may be required to provide information that is less than material to their individual financial statements to the OF in order to support FHLBank System combined financial filings.&#160;</p><p> <em>B. Accounting Policies and Procedures&#160;</em></p><p>FHFA expects each regulated entity's management, with appropriate audit committee oversight, to establish and maintain&#58;&#160;</p><ul><li>A formal written procedure for developing accounting policies;</li><li>A process for disclosing those policies and the regulated entity's compliance with applicable regulatory requirements and GAAP to the committee;</li><li>Accounting and disclosure policies and procedures that reflect applicable regulatory requirements and GAAP; and</li><li>A complete and current accounting guide that lists all of the regulated entity's accounting policies, including a procedure for documenting the business purpose of all significant types of transactions.&#160;</li></ul><p>Each regulated entity currently submits its accounting guide to FHFA annually, and significant revisions to FHFA quarterly, although the FHFA Chief Accountant may request more frequent submissions.&#160;&#160;&#160;</p><p> <em>C. Internal Control over Financial Reporting</em></p><p>Each regulated entity is responsible for designing, implementing, monitoring, and maintaining its ICFR. <a href="#footnote7"> <span style="text-decoration&#58;underline;">[7]</span></a> &#160;&#160;Each regulated entity should ensure that its ICFR system is designed to minimize the risk of a material financial misstatement, whether due to reporting error, fraud, or other external or company-specific risks.&#160;</p><p>FHFA expects regulated entities to develop, implement, and maintain robust business and accounting systems and processes subject to rigorous quality controls to minimize the possibility of material misstatements.&#160; Regulated entities should remediate identified deficiencies timely and should not allow significant control deficiencies to persist.&#160;&#160;</p><p>ICFR review functions <a href="#footnote8"> <span style="text-decoration&#58;underline;">[8]</span></a> should be structured to ensure that those persons performing and evaluating testing are appropriately independent of the controls being tested. &#160;Each regulated entity should ensure that it has protocols in place for its employees and vendors to comply with the regulated entity's ICFR-related policies and procedures.&#160;</p><p>Each regulated entity should have a system in place to provide reasonable assurance that accounting and disclosure policies and procedures reflect regulatory and GAAP requirements and should have proper procedures and processes in place to evaluate compliance with those requirements.&#160; The ICFR risk assessment process should include assessing new products and business lines, as well as significant growth, shrinkage, and other changes in existing products and business lines. &#160;This should help ensure that key controls are identified and tested so that potential control deficiencies are identified timely and properly addressed.&#160;</p><p>Each regulated entity's management should ensure, and its audit committee should oversee, that the regulated entity establishes, implements, and maintains effective controls over information reported to FHFA through FHFA's Call Report System and in formal data requests.&#160;</p><p> <em>D. Regulated Entity Accounting Staff</em></p><p>Each regulated entity's management should hire sufficient numbers of technically competent accounting staff and that staff should remain professionally competent and current in professional standards. &#160;Accounting departments should implement and maintain quality control procedures to ensure that they follow accounting policies and procedures.&#160; Further, accounting staff should be charged with reporting any non-compliance with GAAP to appropriate management and/or auditors.&#160;</p><p> <em>E. Financial Statements</em></p><p>As SEC registrants, each FHLBank and Enterprise must prepare and timely file with the SEC periodic financial statements and disclosures that comply with applicable SEC regulations. &#160;Each regulated entity also should prepare and timely file financial statements and information as required by FHFA regulations.&#160; FHFA encourages the regulated entities to maximize transparency in their public financial reporting and disclosures, and to establish and implement policies that lead to comparable and consistent accounting and disclosures to the extent practicable. <a href="#footnote9"> <span style="text-decoration&#58;underline;">[9]</span></a></p><p>FHFA expects each FHLBank and Enterprise to submit to FHFA any financial information, disclosures, or other items it submits to the SEC that are not available to FHFA in public filings. &#160;FHFA also expects each regulated entity to provide additional information about the financial information, disclosures, and other items it submits to the SEC when and in the manner requested by FHFA.</p><p> <em>F. Non-GAAP Measures in Financial Statements</em></p><p>Regulated entities should consider risks associated with presenting non-GAAP measures in public financial reports, along with their responsibilities to transparently inform stakeholders about the entity's financial condition and results of operations.&#160; If a regulated entity decides to disclose a non-GAAP measure in its periodic filings, that measure should be subject to rigorous internal controls, should not be presented more prominently than similar GAAP measures, and should otherwise conform to applicable regulations.&#160; Any new proposed non-GAAP measure should be discussed with the audit committee, as appropriate, prior to initial publication.&#160; </p><p> <em>G. Alternate and Preferable GAAP Accounting Treatments</em></p><p>At least quarterly, each regulated entity's audit committee should review management's analyses of significant financial reporting issues and accounting judgments made in preparing the entity's financial statements.&#160; To facilitate this review, management should highlight, and the committee should review, significant new or unusual items arising during the financial quarter, and management's anticipated implementation of significant new or revised GAAP.&#160; These reviews should include effects of alternative GAAP methods.&#160; The audit committee should also review and discuss these areas (and others as described in applicable rules, regulations, and guidance) with the external auditor.&#160;</p><p>FHFA believes that it is prudent for the regulated entities' audit committees to assess the costs and benefits of engaging an independent third party to evaluate one or more accounting policy areas at least every two years.&#160; Committees should report their findings to their board of directors and to FHFA.&#160; Such a review may be appropriate for new or revised GAAP guidance and/or for new types of transactions that the regulated entity expects to become material, especially those for which the accounting may involve significant estimates and/or management judgments.&#160;&#160;&#160;</p><p>If the audit committee determines that the results of any such assessment warrant a targeted evaluation, it should then consider the appropriate form and scope of the engagement.&#160; Given the potential relevance of such assessments to FHFA's supervisory responsibilities, the regulated entity should structure any targeted evaluation engagement so as to make reports and workpapers available for review by FHFA.&#160;</p><p> <strong>II. External Audit Function Oversight</strong></p><p>Rigorous and effective audit committee oversight of external audit functions is critical to secure the benefits of an independent, high-quality audit.&#160; FHFA expects each regulated entity's audit committee to perform this role in accordance with applicable FHFA, SEC, and NYSE requirements.&#160; Further, FHFA expects each audit committee to establish and maintain appropriate charter elements, and well-documented policies where needed, around this oversight role. &#160;Finally, FHFA encourages regulated entities to develop, and audit committees to regularly review and approve for publication, disclosures that provide insight and information to stakeholders about how the committees oversee their external auditors.</p><p>A. Overseeing the External Audit Relationship</p><p>The concepts in this section should be considered when appointing, retaining, or terminating an external auditor.</p><p>1. Monitoring Performance</p><p>Each regulated entity's audit committee should perform and document a comprehensive assessment of the external audit firm's performance at least annually.&#160; As part of the review, the committee should request and review input from audit committee members, management, and internal auditors regarding the performance of the external auditors.&#160; The current external auditor's tenure should be considered as a factor in the assessment.&#160;</p><p>FHFA expects each audit committee to identify and consider Audit Quality Indicators (AQIs) to inform dialogue and discussions with the external auditor. &#160;AQIs are qualitative and quantitative performance metrics to help inform stakeholders, including audit committees, about key conditions or attributes that may contribute to audit quality. &#160;AQIs may be defined at both the auditing firm and the audit engagement team levels.&#160; While there is no regulation or auditing standard requiring firms to report or audit committees to use AQIs, larger auditing firms provide firm-level AQIs and/or similar information to their stakeholders. <a href="#footnote10"> <span style="text-decoration&#58;underline;">[10]</span></a> &#160;FHFA views identifying and assessing AQIs as a best practice in assessing external auditor performance.&#160;</p><p>The audit committee should consider the external auditor's internal quality control procedures, including the auditing firm's processes for performing quality control reviews, when evaluating the external auditor.&#160; The committee should discuss the auditing firm's internal quality control reviews and external PCAOB inspection results with the external auditors as part of their performance assessment. &#160;The committee should pay particular attention to any deficiencies or non-compliance issues identified by the PCAOB or internal reviews that are relevant to their regulated entity's audit.&#160; To aid in this process, the audit committee should request that the external auditor align any PCAOB inspection deficiencies with potential areas of exposure to the audit of the regulated entity.&#160; The audit committee should have a good understanding of how the audit firm is addressing any identified deficiencies, including remediation plans and timetables.</p><p>Auditing firm tenure is not explicitly addressed by FHFA or SEC regulations. &#160;Even if an incumbent auditing firm has performed satisfactorily, FHFA considers it prudent for audit committees to periodically consider, and document their consideration of, the potential costs and benefits of changing or retaining their incumbent auditing firms at least every five years, or more frequently if circumstances warrant. <a href="#footnote11"> <span style="text-decoration&#58;underline;">[11]</span></a> &#160;</p><p>2. Monitoring Independence</p><p>External auditor independence is necessary for a reliable audit. &#160;Therefore, each regulated entity's audit committee should carefully consider regulatory and professional requirements regarding independence in fact and appearance during all phases of the audit engagement. <a href="#footnote12"> <span style="text-decoration&#58;underline;">[12]</span></a>&#160; Independence requirements apply to the external auditing firm, to engagement and concurring partners, and to auditing firm staff and contractors working on the engagement. The audit committee should have a robust process for monitoring and assessing the external auditor's independence, including understanding how the external auditor assesses and monitors independence within the auditing firm.&#160;</p><p>The external auditor's communications to the audit committee regarding independence and the committee's related discussions and decisions regarding the auditor's independence should be appropriately documented.&#160; Arrangements regarding any permissible non-audit services to be provided by the audit firm should be clear and transparent, should not involve contingent compensation other than appropriate arrangements for tax work, and should be pre-approved by the audit committee.&#160; If the committee delegates some of its pre-approval authority to, for example, its Chair, it should subsequently ratify the delegate's approval.&#160;&#160;</p><p>At least annually, the committee should review the nature of all services performed by the external audit firm and assess the relative magnitude of fees and personnel involved.&#160; The committee should then consider establishing safeguards, as needed, to mitigate potential threats to audit independence that may arise as a result of providing these other services.&#160; Further, the audit committee should be informed about and consider business and financial relationships between the auditor and the regulated entity or its officers, directors, or significant shareholders, and about employment of former regulated entity employees by the auditing firm and vice versa, as necessary to identify and address circumstances that could indicate a lack of independence or the appearance thereof.&#160;</p><p> <em>B. Communication with External Auditor and Audit Engagement Letters</em></p><p>Each regulated entity's audit committee and its external auditor should have an open working relationship.&#160; Communications should be frank and robust and should cover the full range of potential topics related to financial reporting and audit risks.&#160; Significant discussions during scheduled audit committee meetings should be clearly documented in committee minutes.&#160; Other relevant substantive discussions should be appropriately documented in audit committee packages or minutes.&#160; Audit committees can promote effective communications by&#58;&#160;</p><ul><li>Maintaining a direct line of communication with the external auditor, including periodic, informal contact by the committee chair and regular executive sessions;</li><li>Requesting periodic involvement of other external audit partners, such as concurring, review, and tax partners at the audit committee meetings; </li><li>Discussing the external auditor's audit risk assessment and audit plan for the regulated entity;</li><li>Discussing with the auditor (and management, as applicable) any new, unusual, or non-standard representations made by management in their management representations letter; and</li><li>Requesting and reviewing insights from audit committee members, management, and internal auditors regarding the performance of the external auditors, at least annually.&#160;</li></ul><p>It is also important for the audit committee to have ongoing communication with the external auditor regarding its audit fees.&#160; One objective of those communications is to provide assurance to the audit committee that negotiations for the fees and the fee arrangements themselves encourage the external auditor to conduct rigorous, high-quality audits and reviews.&#160;</p><p>The engagement letter is the key document defining the relationship between the regulated entity and its external auditor.&#160; FHFA's authority to examine the regulated entities allows it to have access to all regulated entity documents, including accounting records. &#160;FHFA expects regulated entities' external audit engagement letters to be consistent with FHFA's examination authority. &#160;Accordingly, FHFA expects that each regulated entity's engagement letter should&#58;&#160;</p><ul><li>Provide that the external auditor may, upon FHFA's request, provide FHFA with access to the senior audit partners on the engagement and any other personnel whom such partners deem necessary, as well as to the external auditor's working papers prepared in the course of performing the services set forth in the engagement letter, and that such access to the external auditor may be without regulated entity personnel in attendance;</li><li>Not contain any provisions that would be characterized as unsafe and unsound under the “Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters&quot;;<a href="#footnote13"><span style="text-decoration&#58;underline;">[13]</span></a> and</li><li>Provide that the external auditor, without the approval of the regulated entity, may meet with FHFA with such frequency and about such matters as determined by FHFA, and may provide reports or other communications arising from the audit engagement directly to FHFA.</li></ul><p> <em>C. Audit Committee Transparency</em></p><p>FHFA regulations and guidelines require that the audit committees for the regulated entities review their charters annually and that the boards of directors reapprove them at least every three years. <a href="#footnote14"> <span style="text-decoration&#58;underline;">[14]</span></a> &#160;&#160;FHFA's regulated entities regularly publish their audit committee charters.&#160; Besides serving as the committee's roadmap to help ensure that it fulfills all of its duties and obligations, a well-drafted charter can provide outside readers with insights on the committee's governance and functions.&#160;</p><p>Under the PCAOB standards, auditor tenure is now a required element of the independent auditor's report.&#160; Also, critical audit matters—which are matters that have been communicated to the audit committee, are related to accounts or disclosures that are material to the financial statements, and involved especially challenging, subjective, or complex auditor judgment—must be reported by the auditor beginning in the next few years. <a href="#footnote15"> <span style="text-decoration&#58;underline;">[15]</span></a>&#160; While this reporting is the responsibility of public companies' external auditors, we believe that these requirements evidence increased demand by financial statement users for information on audits and audit governance.&#160;&#160;</p><p>While effective audit committee oversight of and engagement with the external auditor are keys to obtaining a high-quality audit, there are no formal rules or standards that require those topics to be reported to shareholders. &#160;That said, industry studies confirm an increasing trend among public companies to make enhanced voluntary disclosures about their audit committees' oversight of the external audit function. &#160;Examples include disclosures about the factors that the audit committee considers when appointing or retaining an external auditor, the role of the audit committee in fee negotiations and compensation, the length of time the auditor has been engaged, whether evaluations of the auditing firm are done annually, and audit partner selection and rotation. <a href="#footnote16"> <span style="text-decoration&#58;underline;">[16]</span></a>&#160;</p><p>FHFA encourages each regulated entity's audit committee to consider providing such voluntary disclosures regarding its role in supporting a quality audit. &#160;The audit committee should remain aware of industry trends and developments regarding audit committee transparency and should work to provide the regulated entity's stakeholders with relevant information regarding their activities to the extent practicable.&#160;</p><p> <strong>III. Annual Review by Audit Committee</strong></p><p>At least annually, each regulated entity's audit committee should review, with any appropriate professional assistance, the committee's performance in light of the requirements of laws, rules, and regulations that are applicable to its activities and duties.&#160; The committee should also assess whether it is operating consistent with applicable regulatory guidance.&#160; The audit committee should provide the FHFA Chief Accountant with the materials and procedures employed in such review, as well as the final report. &#160;The review may be done as part of a committee self-assessment, an outside review, or a combination of approaches.&#160;</p><p> <strong>Related Regulations and Guidance</strong></p><p>12 CFR Part 1236 and Appendix – Prudential Management and Operations Standards&#160;</p><p>12 CFR Part 1239 – Responsibilities of Boards of Directors, Corporate Practices and Corporate Governance Matters&#160;</p><p>12 CFR Part 1273 – Office of Finance&#160;</p><p>12 CFR Part 1274 – Financial Statements of the Banks&#160;</p><p>Securities and Exchange Commission Guidance Regarding Management's Report on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934, 72 Fed. Reg. 35324 (June 27, 2007) (codified at 17 CFR Part 241)</p><p>Securities and Exchange Commission Rule 10A-3&#58; Listing Standards Relating to Audit Committees (National Securities Exchanges), 17 CFR § 240.10A-3</p><p>Securities and Exchange Commission Rule Reg. S-X&#58; Form and Content of and Requirements for Financial Statements, Securities Act of 1933, Securities Exchange Act of 1934, Investment Company Act of 1940, Investment Advisers Act of 1940, and Energy Policy and Conservation Act of 1975 (Qualifications and Reports of Accountants), 17 CFR § 210.2-01 through -07</p><p>Securities and Exchange Commission Rule Reg. S-K&#58; Standard Instructions for Filing Forms under Securities Act of 1933, Securities Exchange Act of 1934 and Energy Policy and Conservation Act of 1975, 17 CFR Part 229</p><p>Public Company Accounting Oversight Board Rule 3526&#58; Auditor Communications with Audit Committees Concerning Independence</p><p>NYSE, Inc., Listed Company Manual, § 303A (Corporate Governance Standards) (2018)</p><p> <br>&#160;</p><hr width="25%" align="left" /><p> <a name="footnote1"><span style="text-decoration&#58;underline;">[1]</span></a>&#160;The OF is not a “regulated entity&quot; as the term is defined by 12 U.S.C. 4502(20), but for convenience, references to the “regulated entities&quot; in this AB should be read to also apply to the OF as regards its roles in issuing combined financial reports and engaging the external auditor for those reports, and to regulated entities' affiliates as regards their roles, if any, in issuing public financial reports and in engaging external auditors.</p><p> <a name="footnote2"><span style="text-decoration&#58;underline;">[2]</span></a>&#160;Duties of FHLBank audit committees are described in 12 CFR 1239.32. Duties of the OF audit committee are described in 12 CFR 1273.9. Part 1239 stipulates that the duties and responsibilities of Enterprise audit committees are set forth under rules issued by the New York Stock Exchange, and further requires that those committees comply with requirements set forth under section 301 of the Sarbanes-Oxley Act, 15 U.S.C.§ 78j-1(f). The Prudential Management and Operations Standards set forth in the Appendix to 12 CFR Part 1236 also include standards applicable to the audit committees of the FHLBanks and Enterprises.</p><p> <a name="footnote3"> <span style="text-decoration&#58;underline;">[3]</span></a><em>&#160;See </em>12 CFR 1274.2(c).</p><p> <a name="footnote4"> <span style="text-decoration&#58;underline;">[4]</span></a><em>&#160;See </em>12 CFR 1274.2(c).</p><p> <a name="footnote5"> <span style="text-decoration&#58;underline;">[5]</span></a><em>&#160;See </em>12 CFR 1274.2(d), (e).</p><p> <a name="footnote6"> <span style="text-decoration&#58;underline;">[6]</span></a><em>&#160;See </em>12 CFR Part 1236, Appendix (Standard 10.1) and 12 CFR 1273.6(b) (2).</p><p> <a name="footnote7"> <span style="text-decoration&#58;underline;">[7]</span></a> SEC Exchange Act Rule 13a-15(f) defines the term “internal control over financial reporting&quot; as&#58; a process designed by, or under the supervision of, the issuer's principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that&#58;</p><ol><li>Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;</li><li>Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and</li><li>Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements.</li></ol><p> <em>See </em>17 CFR 240.13a-15(f).</p><p> <a name="footnote8"> <span style="text-decoration&#58;underline;">[8]</span></a> For the OF, this refers to the ICFR over the OF's process for producing the FHLBanks' combined financial reports.&#160;</p><p> <a name="footnote9"> <span style="text-decoration&#58;underline;">[9]</span></a> On comparability and consistency, see FASB Statement of Financial Accounting Concepts No. 8 as amended August 2018.</p><p> <a name="footnote10"> <span style="text-decoration&#58;underline;">[10]</span></a> See Center for Audit Quality, “Audit Quality Indicators&#58;&#160; The Journey and Path Ahead,&quot; Jan. 12, 2016.</p><p> <a name="footnote11"> <span style="text-decoration&#58;underline;">[11]</span></a> The FHLBanks and the OF, in light of the FHLBank System's requirement to issue combined financial statements, have historically engaged the same external audit firm.&#160; Therefore, they undertake external auditor performance reviews and decisions on which audit firm to engage jointly.</p><p> <a name="footnote12"> <span style="text-decoration&#58;underline;">[12]</span></a> The external auditor must meet the requirements of independence set forth by the PCAOB Auditing Standard 1005 and in the SEC regulations at 17 CFR § 210.2-01.&#160;</p><p> <a name="footnote13"> <span style="text-decoration&#58;underline;">[13]</span></a> 71 Fed. Reg. 6847 (Feb. 9, 2006).</p><p> <a name="footnote14"> <span style="text-decoration&#58;underline;">[14]</span></a><em>&#160;See </em>12 CFR Part 1236, Appendix (Prudential Management and Operations Standard 2.2) (regulated entity boards); 12 CFR 1239.32(d) (1), (2) (Bank audit committees and boards of directors); 12 CFR 1273.9(c) (1) (i), (ii) (Office of Finance). Enterprise boards of directors must adopt a written charter for each board committee and comply with the committee requirements of the NYSE rules and section 301 of the Sarbanes-Oxley Act, 15 U.S.C. § 78j-1. <em>See </em>12 CFR 1239.5(b). Neither those incorporated provisions nor the regulation itself imposes any requirements with respect to the review or re-approval of committee charters.</p><p> <a name="footnote15"> <span style="text-decoration&#58;underline;">[15]</span></a><em>&#160;See </em>PCAOB Auditing Standard 3101.</p><p> <a name="footnote16"> <span style="text-decoration&#58;underline;">[16]</span></a><em>&#160;See </em>2018 Audit Committee Transparency Barometer prepared by the Center for Audit Quality and by Audit Analytics (November 2018).</p><p> <em>&#160; </em></p> <em> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities. Questions about this advisory bulletin should be directed to <a href="mailto&#58;SupervisionPolicy@FHFA.gov">SupervisionPolicy@FHFA.gov</a>. </p></td></tr></tbody></table> <p>&#160;</p></em>8/20/2020 5:00:54 PMHome / Supervision & Regulation / Advisory Bulletins / Financial Reporting and Disclosure and External Audit Advisory Bulletin AB 2020-04: FINANCIAL REPORTING AND DISCLOSURE 5178https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Credit Risk Transfer – Analysis and Reporting27606Fannie Mae & Freddie Mac11/14/2019 5:00:00 AMAB 2019-06<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN</p><p>AB 2019-06&#58; Credit Risk Transfer – Analysis and Reporting</p></td></tr></tbody></table><p> <strong style="text-decoration&#58;underline;"> <em> <br>Purpose</em></strong></p><p>This advisory bulletin articulates the Federal Housing Finance Agency’s (FHFA) supervisory expectations for the analysis and internal reporting of certain proposed or in-force credit risk transfer (CRT) activities.&#160; This advisory bulletin applies to Fannie Mae and Freddie Mac (Enterprises) and is effective immediately.</p><p>The scope of this advisory bulletin addresses risk analysis and reporting for individual and aggregate CRT activities.&#160; This advisory bulletin excludes primary mortgage insurance, seller indemnification, collateralized lender recourse, and multifamily lender loss sharing.</p><p>Enterprise CRT activities include debt instruments with varying structures and characteristics as well as insurance or reinsurance transactions and senior/subordinate securitizations.&#160; CRT programs are integrated with core single-family and multifamily business activities and affect the Enterprises’ overall credit risk profiles.&#160; </p><p>The comprehensive analysis and internal reporting of CRT activities support Enterprise safety and soundness.&#160; The Enterprises’ CRT programs could pose considerable financial risk exposure if associated risks are not adequately understood and managed.&#160; Robust risk analysis coupled with effective reporting to senior management and, as appropriate, the board of directors could identify potential risk and further support the oversight of the CRT program.&#160; </p><p>The guidance section outlines FHFA’s supervisory expectations regarding analysis and reporting for CRTs.&#160; The Enterprises may augment the analyses included in this advisory bulletin with other types of analyses deemed appropriate by management or the board of directors.<br></p><p> <strong style="text-decoration&#58;underline;"><em>Background</em></strong></p><p>The ownership or guarantee of mortgage-related instruments exposes the Enterprises to credit risk.&#160; Credit risk transfers can moderate the risk of credit-related losses and expenses by mitigating the Enterprises’ credit risk exposure.&#160; The Enterprises routinely transfer credit risk to third-party investors through the capital markets, and to insurance and reinsurance companies through negotiated transactions.</p><p>The use of CRT transactions alters the earnings and credit risk profiles of the Enterprises by transferring some portion of estimated credit losses.&#160; Modeling applications estimate these credit losses.&#160; Credit losses transferred to investors or insurers, over the term of the CRT transaction, could differ significantly from the Enterprises’ original estimates of expected credit losses absorbed by investors or insurers.&#160; </p><p>This advisory bulletin discusses approaches designed to provide both an economic view as well as a view into the financial impact of CRT transactions.&#160; <br>Risks associated with CRT transactions, as noted in more details below, include residual credit risk, financial risk, price risk, model risk, counterparty credit risk, and mark-to-market risk.&#160; Fully understanding the risks and their potential earnings and capital impact is an important step in determining appropriate risk mitigants for those risks that can be controlled and reasonably managed. </p><p> <em>Residual Credit Risk</em></p><p>Residual credit risk refers to the credit risk remaining with the Enterprises from the loans in the reference pool.&#160; Typically, only a portion of credit risk is transferred at the origination of the CRT transaction.&#160; Additionally, termination dates for some CRT transactions may be earlier than the contractual maturity of the underlying single-family or multifamily mortgage loans in the reference pool.&#160; If credit loss events on single-family or multifamily loans in the reference pool occur after the maturity of the CRT issuance or insurance transaction, the Enterprises remain exposed to residual credit risk for the lifetime of loans remaining in the original reference pool.</p><p> <em>Financial Risk</em></p><p>Financial risk is the uncertain net earnings and balance sheet impact attributed to the costs and the credit loss protection provided by investors or insurers.&#160; The Enterprises’ cost to purchase credit protection through CRT transactions may be substantial in relation to guarantee fee revenue.&#160; The expected credit risk mitigation provided by investors and insurers is not precisely known at origination and requires complex calculations to estimate.&#160; Financial risk could be significant and could negatively affect corporate profitability and capital levels.</p><p> <em>Price Risk</em></p><p>Price risk refers to the risk that it may not be feasible for an Enterprise to enter into new CRT transactions because of market-driven costs.&#160; An Enterprise’s ability to transfer credit risk on an ongoing and regular basis is dependent on third-party investor or counterparty demand to enter into new transactions, but this demand may significantly weaken or disappear during periods of adverse economic or poor market conditions.&#160; The interest of market participants may vary over housing price cycles and could influence demand for new and existing CRT instruments.&#160; The countercyclical nature of some CRT transactions could expose the Enterprises to price risk, as they may incur considerably higher costs by entering into CRT transactions during times of significant economic downturns or severely adverse market disruptions.</p><p> <em>Model Risk</em></p><p>Model risk refers to the earnings and capital exposure from inadequate model results or weaknesses in model governance, processes, or controls.&#160; Enterprise management relies in part on sophisticated quantitative analyses and complex models.&#160; These models estimate Enterprise credit risk, including the financial costs of CRT transactions.&#160; Estimates of mortgage interest rates and house price movements are significant factors in management’s analysis.&#160; Models and analytical processes are sensitive to data inputs, key assumptions, and the complexity of calculation methodologies.&#160; </p><p> <em>Counterparty Credit Risk</em></p><p>Some CRT transactions introduce counterparty credit risk.&#160; While CRT transactions serve to reduce credit risk exposure from individual borrowers, the reduction may be partially offset by added credit risk from corporate counterparties.&#160; Counterparty credit risk is introduced in insurance-related CRT transactions, as the risk that an insurance company will not fulfill its potential obligation is substituted for the risk that individual borrowers will not meet their obligation with respect to the underlying mortgage loan.</p><p> <em>Mark-to-Market Risk</em></p><p>Mark-to-market risk refers to the market price volatility or sensitivity associated with CRT issuances.&#160; The Enterprises are exposed to mark-to-market risk for some CRT transactions.&#160; Changes in fair market values may have a negative financial performance or capital impact.&#160; For example, an Enterprise may issue unsecured debt in the form of a CRT transaction and record fair market gains or losses based on price changes.&#160; Hedging activities may mitigate the underlying mark-to-market risk inherent in the CRT transaction.<br></p><p> <strong style="text-decoration&#58;underline;"><em>Guidance</em></strong></p><p>This section outlines FHFA’s supervisory expectations regarding analysis and internal reporting for CRTs.&#160; The analyses described below will allow senior management to understand individual and aggregate CRT transactions and inform corporate business decisions, and the aggregate reporting will inform the board of directors or a designated committee of the board.&#160; These analyses should be completed in a timely manner, and documentation should include an explanation and support for significant management assumptions or estimates, detailed model results, and key analytical factors.&#160;&#160;</p><p style="margin-left&#58;40px;"> <strong>I. Analysis of CRT</strong></p><p>Analyses A, B, and D described below do not depend on economic, regulatory, or imputed capital or capital costs.</p><p style="margin-left&#58;40px;"> <em>A.&#160;Analysis of Expected Revenues and Expected Costs</em></p><p style="margin-left&#58;80px;">1. Transaction-Level Analysis</p><p style="margin-left&#58;80px;">Transaction-level analyses should thoroughly evaluate the financial value of individual CRT transactions, that is, the expected revenues and expected costs that result from CRT transactions.&#160; Revenues and costs include guarantee-fee income, expected default costs, and transaction costs associated with a CRT structure. The cashflow analysis should cover the full term of the underlying mortgages in the reference pool.&#160; Management should use stochastic credit risk models to generate forecasts of prepayment, default, and severity using relevant macroeconomic factors.&#160; The macroeconomic factors, at a minimum, include interest rates and house prices.&#160; For a meaningful analysis, a wide-range of economic scenarios should be included.</p><p style="margin-left&#58;80px;">Two types of transaction-level analyses should be performed on the reference pool&#58;&#160; (a) transaction analysis without CRT; and (b) transaction analysis with CRT.&#160; Both types of transaction-level analysis should use the methods described above.&#160; </p><p style="margin-left&#58;80px;"> <em>(a) Transaction Analysis without CRT.</em>&#160; This analysis evaluates the estimated cashflows by calculating estimated expected pre-tax revenues (guarantee fees) and associated expected expenses (including credit losses and interest expense) for the reference pool.&#160; Management should calculate the revenues and expenses for each of the simulated paths.&#160; The path-level results should then be aggregated to determine overall expected net revenue.</p><p style="margin-left&#58;80px;"> <em>(b) Transaction Analysis with CRT.</em>&#160; This analysis evaluates the estimated cashflows by calculating estimated expected pre-tax revenues (guarantee fees) and associated expected expenses (including credit losses and interest expense) for the reference pool.&#160; Management should calculate the revenues and expenses for each of the simulated paths with the proposed CRT transaction.&#160; The path-level results should then be aggregated to determine overall expected net revenue.</p><p style="margin-left&#58;80px;">In addition to analyses (a) and (b), management should develop at least one stress test by evaluating revenue and credit losses absorbed by investors or insurers for paths that exceed a specific high confidence level (e.g., 90%, 95%, or 99%).&#160;&#160; For CRT transactions with a counterparty credit risk component, transaction analyses should incorporate an assessment of the credit risk associated with the underlying counterparty.</p><p style="margin-left&#58;80px;">2. Consolidated Analysis </p><p style="margin-left&#58;80px;">Consolidated analysis should assess the net financial impact of aggregated CRT transactions on financial performance.&#160; This analysis should calculate the impact of existing CRT transactions incorporating all business segments of corporate revenue and expenses.&#160; The results should provide insight into the aggregate and full impact of CRTs.</p><p style="margin-left&#58;80px;">In order to conduct the consolidated analysis, the stochastic analysis to estimate net revenues and credit losses absorbed by investors or insurers described above should be estimated (ex-post, on a transaction level) and aggregated. </p><p style="margin-left&#58;40px;"> <em>B.&#160;Earnings Forecast Analysis</em></p><p style="margin-left&#58;80px;">Earnings forecast analysis should assess the annual forecasted generally accepted accounting principles (GAAP) impact for aggregate CRT activities.&#160; This analysis should be designed to calculate the impact of existing CRT transactions on future corporate revenue and expenses.&#160; The analysis should cover each year of the duration of all CRT transactions existing at the time of the analysis.</p><p style="margin-left&#58;80px;">The methodology used for this earnings forecast analysis should be comparable to the transaction-level financial analysis (described above) to allow for meaningful benchmarking analysis.&#160; Specifically, individual transactions should be modeled stochastically before results are consolidated.&#160; Key model methodology, assumptions, and inputs should be transparent and well supported.&#160; Stress testing should also be a component of the earnings forecast analysis to add a meaningful dimension.&#160; The earnings forecast analysis should include sufficient time period intervals to allow Enterprise management to assess significant timing differences between CRT expenses or costs and the absorption of credit losses by investors or insurers that may occur well after the initial CRT transaction.</p><p style="margin-left&#58;40px;"> <em>C.&#160;Price Risk Analysis </em></p><p style="margin-left&#58;80px;">The price risk analysis should measure the strength and health of the CRT market in order to assess the economic sensibility of entering into new CRT transactions.&#160; The cost to transfer credit risk may vary depending on the position of the economy in the economic cycle.&#160; It may be more expensive for the Enterprises to transfer credit risk during periods of economic instability or uncertainty.&#160; Enterprise management should develop measures to analyze CRT price risk.&#160; </p><p style="margin-left&#58;80px;">Enterprise secondary market purchases or sales of previously issued CRT securities should include consideration of the potential impact on corporate CRT strategies and overall CRT effectiveness.&#160; These transactions could reduce the amount of credit risk that has previously been transferred through a CRT transaction.&#160; For this reason, an analysis of the potential impact to CRT effectiveness should be performed prior to secondary market transactions.</p><p style="margin-left&#58;40px;"> <em>D.&#160;Industry Analyses </em></p><p style="margin-left&#58;80px;">Credit rating agencies and other industry participants play a role in the Enterprise CRT market.&#160; Industry participants may conduct analytical assessments for individual CRT instruments using proprietary models and evaluation techniques.&#160; Management should review and understand the analytical approach and results of analyses performed by rating agencies or other industry participants and identify significant differences from internal Enterprise analyses.</p><p style="margin-left&#58;40px;"> <strong>II.&#160;Management and Board of Directors Reporting</strong><br></p><p style="margin-left&#58;40px;">The management and board of directors reporting described in this section may be presented as independent, standalone reports, or incorporated into existing reporting processes.&#160; If incorporated into existing reporting processes, management should ensure that CRT analysis results are given attention commensurate with the significance of the analytical results and findings.&#160; Whether standalone or incorporated into an existing reporting process, the CRT reports should contain sufficient detail to adequately inform the intended audience and sufficiently support related business decisions.</p><p style="margin-left&#58;40px;"> <em>A.&#160;Analysis of Expected Revenues and Expected Costs</em></p><p style="margin-left&#58;80px;">1. Transaction-Level Analysis</p><p style="margin-left&#58;80px;">The results of the transaction-level analyses for individual single-family CRT transactions should be included in transaction-level, pre-transaction analysis reported to business line management.&#160; For multifamily CRT transactions, results may be aggregated and reported to business line management on a quarterly basis.&#160; Senior management should also review a summary of transaction reports.</p><p style="margin-left&#58;80px;">2. Consolidated Analysis</p><p style="margin-left&#58;80px;">The CRT consolidated analysis should be prepared on at least an annual basis with detailed results reported to senior management.&#160; The board of directors or designated board committee should review a summary of the consolidated analysis.</p><p style="margin-left&#58;40px;"> <em>B.&#160;Earnings Forecast Analysis </em></p><p style="margin-left&#58;40px;">The CRT earnings forecast analysis should be prepared on at least an annual basis with detailed results reported to senior management.&#160; The board of directors or designated board committee should review a summary of the earnings forecast analysis.</p><p style="margin-left&#58;40px;"> <em>C.&#160;Price Risk Analysis </em></p><p style="margin-left&#58;40px;">Price risk analysis results should be incorporated into senior management reporting.</p><p style="margin-left&#58;40px;"> <em>D.&#160;Industry Analyses </em></p><p style="margin-left&#58;40px;">Internal evaluations of industry CRT analyses should be reported to business line management at least annually, with more frequent reporting or reporting to Enterprise management and, the board of directors, or designated board committee, as appropriate, if interim analyses indicate significant findings.</p><p> <br> <em><strong style="text-decoration&#58;underline;">Related Guidance and Regulations</strong></em></p><p>12 CFR Part 1236, Appendix, Prudential Management and Operations Standards. </p><p>12 CFR Part 1239, Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance.</p><p> <em> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Interest-Rate-Risk-Management_2018-09.aspx">Interest Rate Risk Management</a></em>, Federal Housing Finance Agency, Advisory Bulletin AB-2018-09, September 28, 2018.</p><p> <em> <a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB_2013-07_Model_Risk_Management_Guidance.pdf">Model Risk Management Guidance</a></em>, Federal Housing Finance Agency, Advisory Bulletin AB-2013-07, November 20, 2013.<br></p>&#160;&#160;&#160;&#160;&#160;&#160; <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. &#160;Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. &#160;Questions about this advisory bulletin should be directed to&#58;&#160; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </p></td></tr></tbody></table>11/14/2019 8:01:21 PMHome / Supervision & Regulation / Advisory Bulletins / Credit Risk Transfer – Analysis and Reporting Advisory Bulletin AB 2019-06: Credit Risk Transfer – Analysis and 4747https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Compliance Risk Management27499Fannie Mae & Freddie Mac10/3/2019 4:00:00 AMAB 2019-05<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN</p><p>AB 2019-05&#58; Compliance Risk Management</p></td></tr></tbody></table><p> <strong style="text-decoration&#58;underline;"><em><br>Purpose</em></strong><br><br>This advisory bulletin (AB) communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency’s (FHFA) supervisory expectations for a compliance risk management program (compliance program) <span class="ms-rteStyle-References"> </span> <a href="#footnote1"> <span class="ms-rteStyle-References"><span style="text-decoration&#58;underline;">[1]</span></span></a>&#160; to maintain the safety and soundness of the Enterprises’ operations.&#160; The sophistication of the compliance program should be proportionate to each Enterprise’s size, complexity, and risk profile.&#160; The compliance program should be designed to promote compliance with applicable laws, regulations, rules, prescribed practices, internal policies and procedures, and ethical and conflict-of-interest standards (compliance obligations).&#160;</p><p> <strong style="text-decoration&#58;underline;"><em>Background</em></strong></p><p>Compliance risk is the risk of legal or regulatory sanctions, damage to the current or projected financial condition, damage to business resilience, or damage to reputation resulting from nonconformance with compliance obligations.<a href="#footnote2"><span class="ms-rteStyle-References" style="text-decoration&#58;underline;">[2]</span></a>&#160; In addition, an Enterprise may be exposed to compliance, reputational, or other risks as a result of a third-party provider's failure to comply with the Enterprise's expectations and operating standards and to meet all relevant legal and contractual requirements.&#160; An effective compliance program supports safe and sound operations through policies and procedures designed to enable oversight of compliance risk management by the board of directors, or appropriate board-level committee (board). </p><p>Effective management of compliance risk requires the Enterprises to address numerous complex compliance obligations and the Enterprises' high volume of transactions.&#160; The guiding principles of sound risk management are set forth in FHFA's regulation at 12 CFR Part 1239, Responsibilities of Boards of Directors, Corporate Practices and Corporate Governance (Corporate Governance Rule), and in the Appendix to 12 CFR Part 1236, Prudential Management and Operations Standards (PMOS).&#160; </p><p>FHFA's general standards for safe and sound operations are set forth in the PMOS. &#160;Three relevant PMOS articulate guidelines for an Enterprise's board of directors and senior management to evaluate when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8), and maintenance of adequate records (Standard 10). &#160;While the guiding principles of sound risk management in the Corporate Governance Rule and the PMOS are the same for compliance risk as for other types of risk, the management of compliance risk presents certain unique challenges.&#160; For example, compliance risk appetite and metrics may be difficult to establish and measure and compliance obligations must be addressed on an Enterprise-wide basis.<a href="#footnote3"><span style="text-decoration&#58;underline;">[3]</span></a>&#160; In addition, while compliance risks associated with third-party providers may be difficult to monitor based on information gathered in the normal course of business, the Enterprises should anticipate and manage exposures associated with third-party provider relationships across the Enterprises' full range of operations.<a href="#footnote4"><span style="text-decoration&#58;underline;">[4]</span></a></p><p> <strong style="text-decoration&#58;underline;"><em>Guidance</em></strong></p><p>FHFA expects each Enterprise to have a comprehensive, risk-based compliance program aligned with its enterprise-wide risk management program<a href="#footnote5"><span style="text-decoration&#58;underline;">[5]</span></a> and in accordance with all relevant FHFA guidance.&#160; An Enterprise's compliance program should include policies and procedures designed to manage compliance risk across its entire organization, both within and across business lines and the three lines of defense.&#160; The compliance program should include the following components&#58;</p><ol><li>Compliance Governance</li><li>Compliance Policies and Procedures</li><li>Compliance Staffing and Compensation</li><li>Compliance Monitoring, Testing, and Remediation</li><li>Compliance Communication and Training&#160;<br>&#160;</li></ol><p><strong>1)&#160;&#160;&#160;&#160;&#160; Compliance Governance</strong></p><p>The board should have an appropriate understanding of the types of compliance risks to which the Enterprise is exposed.<a href="#footnote6"><span style="text-decoration&#58;underline;">[6]</span></a>&#160; The board is responsible for exercising reasonable oversight to ensure that the compliance program is designed, implemented, reviewed, and revised in an effective manner.<a href="#footnote7"><span style="text-decoration&#58;underline;">[7]</span></a> &#160;The compliance program must be headed by a compliance officer<a href="#footnote8"><span style="text-decoration&#58;underline;">[8]</span></a> with the appropriate qualifications, experience, authority, accountability, and independence.<a href="#footnote9"><span style="text-decoration&#58;underline;">[9]</span></a>&#160; It should also be aligned with the enterprise-wide risk management program and board-approved risk appetites, including limits restricting exposures to third-party providers.<a href="#footnote10"><span style="text-decoration&#58;underline;">[10]</span></a>&#160; The board and senior management<a href="#footnote11"><span style="text-decoration&#58;underline;">[11]</span></a> should ensure that the compliance officer and the compliance program have adequate resources, including well-trained and capable staff.<a href="#footnote12"><span style="text-decoration&#58;underline;">[12]</span></a> &#160;</p><p>The board and senior management must discharge their duties and responsibilities in accordance with the Enterprise's code of conduct and ethics, and conduct themselves in a manner that promotes high ethical standards and a culture of compliance throughout the organization.<a href="#footnote13"><span style="text-decoration&#58;underline;">[13]</span></a>&#160; Promoting a culture of compliance includes documenting and communicating clear expectations about compliance both within the Enterprise and to third-party providers including sellers and servicers.&#160; The following activities are also part of an effective compliance culture&#58; clearly communicating the Enterprise's compliance, integrity, and business ethics standards and expectations; articulating the principle that employees and management conduct all activities in accordance with both the letter and the spirit of compliance obligations; and creating an environment where employees are encouraged to raise legal, compliance, and ethics questions and concerns without fear of retaliation.</p><p>The compliance officer must report directly to the chief executive officer<a href="#footnote14"><span style="text-decoration&#58;underline;">[14]</span></a> and should have sufficient resources and qualified staff to implement the compliance program.&#160; The compliance officer must also report regularly to the board.<a href="#footnote15"><span style="text-decoration&#58;underline;">[15]</span></a>&#160; At a minimum, these reports must address the adequacy of the Enterprise's compliance policies and procedures, including the entity's compliance with them.&#160; The compliance officer must recommend any revisions to such policies and procedures that he or she considers necessary or appropriate.<a href="#footnote16"><span style="text-decoration&#58;underline;">[16]</span></a> </p><p>First-line business functions own and manage compliance risks and implement corrective actions to address process and control deficiencies.&#160; The second line performs various risk control and compliance oversight functions.&#160; The scope and breadth of the activities of the compliance program should be subject to periodic review by the internal audit function.<a href="#footnote17"><span style="text-decoration&#58;underline;">[17]</span></a>&#160; The internal audit function's assessment of the effectiveness of the compliance program should be separate from the compliance function's monitoring and testing activities to ensure that the activities of the compliance function are subject to independent review.<a href="#footnote18"><span style="text-decoration&#58;underline;">[18]</span></a></p><p><strong>2)&#160;&#160;&#160;&#160;&#160; Compliance Policies and Procedures</strong></p><p>The processes and systems for managing compliance risk across the Enterprise should be documented in policies and procedures.&#160; The policies and procedures should also address compliance training throughout the organization.&#160; </p><p>Compliance policies should clearly articulate the roles and responsibilities of the various committees, functions, and staff with compliance responsibilities as well as the oversight role and responsibilities of the compliance officer and the board.&#160; These policies should describe the responsibilities of the compliance officer for managing and directing the implementation of the compliance program and the compliance officer's role in controlling compliance risks that transcend business lines.&#160; The policies should also address the scope of internal reporting of compliance matters to the board and senior management and the adequacy of the Enterprise's compliance policies and procedures, including the Enterprise's compliance with them.<a href="#footnote19"><span style="text-decoration&#58;underline;">[19]</span></a> </p><p style="text-align&#58;left;">The Enterprises should have policies and procedures in place to create an inventory of compliance obligations, identify new and revised compliance obligations, evaluate the impact to the business units, map obligations to internal controls, communicate changes with impacted parties and business units, promote independent reviews and escalation as necessary, and address compliance obligations in a practical and efficient way.&#160; </p><p style="text-align&#58;left;">Each Enterprise's compliance program should include compliance risk and control assessment policies and procedures designed to evaluate compliance risks associated with the Enterprise's business activities, including the development of new products and business practices.&#160; The compliance program's compliance risk assessment policies and procedures should include methods of measuring compliance risk (e.g. by using performance indicators) and use such measurements to enhance compliance risk assessments.</p><p style="text-align&#58;left;">Each Enterprise should have policies and procedures to file with FHFA any reports that may be required.<a href="#footnote20"><span style="text-decoration&#58;underline;">[20]</span></a><sup> </sup>&#160;&#160;These external reporting compliance policies and procedures should address conditions imposed in writing or written agreements between FHFA and the Enterprise.<a href="#footnote21"><span style="text-decoration&#58;underline;">[21]</span></a>&#160; </p><p style="text-align&#58;left;">The Enterprises should have first-line policies and procedures that are designed to implement enterprise-wide compliance policies and to integrate or “operationalize&quot; compliance obligations into day-to-day business processes, job duties, and responsibilities.&#160; First-line compliance policies and procedures should also promote independent reviews, identification of compliance issues, and escalation and tracking of identified issues.&#160; </p><p style="text-align&#58;left;">Procedures should describe the second-line compliance function's role in determining how business line compliance matters are addressed. &#160;Procedures for resolving disputes between the corporate compliance function and business line management regarding compliance matters should ensure that such disputes are resolved objectively.&#160; Under such procedures, the final decision-making authority should rest either with the corporate compliance function, or with a committee of senior management, including the compliance officer, that has no business line responsibilities.</p><p><strong>3)&#160;&#160;&#160;&#160;&#160; Compliance Staffing and Compensation</strong></p><p>The compliance officer should have appropriate qualifications, experience, authority, accountability, and independence.&#160; The compliance officer should have the necessary resources to implement the compliance function effectively.&#160; The compliance officer's compensation should include incentives tied to actions and outcomes within his or her control and influence and not include incentives that could impair or appear to impair the compliance program's independence.&#160; The compensation should also comply with 12 CFR Part 1230<a href="#footnote22"><span style="text-decoration&#58;underline;">[22]</span></a> as well as conform to the Enterprise's policies on compensation and performance management.</p><p>The Enterprise should have a sufficient number of staff assigned to the compliance function with requisite knowledge of business activities and compliance obligations to assess compliance risk and the effectiveness of risk controls.&#160; The compliance function may be centrally organized with dedicated staff or structured as a hybrid with first-line staff having both business and compliance responsibilities. &#160;In a hybrid approach, responsibilities for compliance activities may be delegated within the Enterprise, but oversight and ultimate responsibility for fostering an enterprise-wide compliance approach are borne centrally by the corporate compliance function.&#160; If a hybrid structure is used, compliance staff in the first line should have the ability and willingness to effectively challenge business operations regarding risk arising from the Enterprise's activities.&#160; The Enterprise should implement appropriate controls and enhanced second-line oversight to identify and address issues that may arise from conflicts of interest affecting compliance staff within the business lines. &#160;For example, in these circumstances, the Enterprise should adopt enhanced processes for the second-line compliance function's oversight of monitoring and testing activities performed by compliance staff within the business lines.&#160; In a hybrid structure, the second-line compliance function should also play a role in personnel actions and compensation decisions affecting first-line staff with compliance responsibilities.&#160; Compensation and incentive programs should avoid undermining the independence and objectivity of first-line compliance activity.&#160; </p><p><strong>4)&#160;&#160;&#160;&#160;&#160; Compliance Monitoring, Testing, and Remediation</strong></p><p>Compliance monitoring, testing, and remediation efforts should be risk-based, reflect the results of compliance risk assessments, and evaluate the adequacy and effectiveness of compliance activities across the organization.&#160; Testing and monitoring activities should provide information to compliance staff and senior executives about the operation of compliance controls across the organization, provide evidence to support an assessment of the operating effectiveness of the compliance program, and identify actual and potential instances of noncompliance.&#160; </p><p>Monitoring activities should identify control weaknesses that may fail to prevent or fail to identify noncompliance and should be designed to identify potential issues before a problem develops into noncompliance.&#160; These activities may include pre-activity approvals, transaction reviews, in-process quality checks, and outcome data reviews.&#160; The Enterprises' compliance programs should also include monitoring of third-party provider relationships to assess compliance with consumer protection-related laws and regulations and oversight of third-party providers' consumer compliance-related policies, procedures, internal controls, and training.<a href="#footnote23"><span style="text-decoration&#58;underline;">[23]</span></a>&#160; </p><p>Testing should assess the reliability of key assumptions, data sources, and procedures used in measuring and monitoring compliance risk.&#160; Controls should be tested on a periodic basis to ensure they are working as intended.&#160; If compliance controls are embedded in automated tools or business unit procedures, qualified compliance staff should review these tools and processes for consistency with entity-wide compliance policies and procedures.&#160; </p><p>The results of monitoring and testing activities should drive timely remediation of identified weaknesses. &#160;Corrective actions should be tracked and escalated as appropriate.&#160; Monitoring and testing protocols should include procedures for remedying undue delay in management response or ineffectual remediation efforts.</p><p><strong>5)&#160;&#160;&#160;&#160;&#160; Compliance Communication and Training </strong></p><p>The Enterprises should have lines of communication for employees to seek guidance and report concerns about compliance obligations.&#160; All Enterprise staff should receive specific, comprehensive compliance training appropriate to each individual's job responsibilities. &#160;Training should reinforce the Enterprise's written compliance risk management policies and procedures.&#160; When compliance policies are adopted or changed, the Enterprise should assess what, if any, training is appropriate.&#160; The Enterprise should determine whether the training should be conducted on an entity-wide or business unit level, who should be trained, and when the training should occur.</p><p> <br> <em><strong style="text-decoration&#58;underline;">Related Guidance and Regulations</strong></em></p><p>12 CFR Part 1230, Executive Compensation.</p><p>12 CFR Part 1236, Appendix, Prudential Management and Operations Standards.</p><p>12 CFR Part 1239, Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance.</p><p> <em><a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Oversight-of-Third-Party-Provider-Relationships.aspx">Oversight of Third-Party Provider Relationships</a></em>, Federal Housing Finance Agency Advisory Bulletin 2018-08, September 28, 2018.</p><p> <em><a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Oversight-of-Multifamily-SellerServicer-Relationships.aspx">Oversight of Multifamily Seller/Servicer Relationships</a></em>, Federal Housing Finance Agency Advisory Bulletin 2018-05, August 14, 2018.</p><p> <em><a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Internal-Audit-Governance-and-Function.aspx">Internal Audit Governance and Function</a></em>, Federal Housing Finance Agency Advisory Bulletin 2016–05, October 7, 2016.</p><p> <em><a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Fraud-Risk-Management.aspx">Fraud Risk Management</a></em>, Federal Housing Finance Agency Advisory Bulletin 2015-07, September 29, 2015.</p><p> <em><a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Oversight-of-Single-Family-SellerServicer-Relationships.aspx">Oversight of Single-Family Seller/Servicer Relationships</a></em>, Federal Housing Finance Agency Advisory Bulletin 2014-07, December 1, 2014.</p><p> <em><a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2014-02-OPERATIONAL-RISK-MANAGEMENT.aspx">Operational Risk Management</a></em>, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014.</p><p> <em><a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2013-01-CONTINGENCY-PLANNING-FOR-HIGH-RISK-OR-HIGH-VOLUME-COUNTERPARTIES.aspx">Contingency Planning for High-Risk or High-Volume Counterparties</a></em>, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013.</p>&#160;&#160;&#160;&#160;&#160;&#160; <p>&#160;</p><hr width="25%" align="left" /><p> <a name="footnote1"><font color="#0066cc">[1]</font></a>&#160; 12 CFR 1239.12.</p><p> <a name="footnote2"> <font color="#0066cc">[2]</font></a>&#160; The regulation requires that the compliance program manage compliance with “applicable laws, rules, regulations, and internal controls,&quot; 12 CFR 1239.12.</p><p> <a name="footnote3"><font color="#0066cc">[3]</font></a>&#160; 12 CFR 1239.11(b), 1239.11(b)(2)(i), and 1239.11(c)(2).</p><p> <a name="footnote4"><font color="#0066cc">[4]</font></a>&#160; See <em>Oversight of Third-Party Provider Relationships, </em>AB 2018-08.&#160; See also PMOS, Standard 9&#58; Principles 4, 5, and 10.</p><p> <a name="footnote5"><font color="#0066cc">[5]</font></a>&#160; 12 CFR 1239.11(a).</p><p> <a name="footnote6"><font color="#0066cc">[6]</font></a>&#160; See generally PMOS, <em>Responsibilities of the Board of Directors&#58;</em> Principle 4.</p><p> <a name="footnote7"> <font color="#0066cc">[7]</font></a>&#160; Ibid.</p><p> <a name="footnote8"><font color="#0066cc">[8]</font></a>&#160; 12 CFR 1239.12.</p><p> <a name="footnote9"><font color="#0066cc">[9]</font></a>&#160;&#160; PMOS, Standard 1&#58; Principle 2 and Standard 8&#58; Principles 1 and 3.</p><p> <a name="footnote10"> <font color="#0066cc">[10]</font></a>&#160; See <em>Oversight of Third-Party Provider Relationships, </em>AB 2018-08.</p><p> <a name="footnote11"> <font color="#0066cc">[11]</font></a>&#160; Ibid.&#160; The term “senior management&quot; refers to those employees who plan, direct, and formulate policies, and provide the overall direction of the Enterprise for the development and delivery of products or services, within the parameters approved by the board.&#160; </p><p> <a name="footnote12"> <font color="#0066cc">[12]</font></a>&#160; PMOS, <em>General Responsibilities of the Board of Directors and Senior Management</em>&#58; Principle 6 and Standard 8&#58; Principle 6.</p><p> <a name="footnote13"> <font color="#0066cc">[13]</font></a>&#160; 12 CFR 1239.10(a).&#160; See also PMOS, Standard 1&#58; Principle 3. </p><p> <a name="footnote14"> <font color="#0066cc">[14]</font></a>&#160; 12 CFR 1239.12.</p><p> <a name="footnote15"> <font color="#0066cc">[15]</font></a>&#160; Ibid.</p><p> <a name="footnote16"><font color="#0066cc">[16]</font></a>&#160; Ibid.</p><p> <a name="footnote17"> <font color="#0066cc">[17]</font></a>&#160; See <em>Internal Audit Governance and Function, </em>AB 2016-05. &#160;See also PMOS, Standard 1&#58; Principle 14.</p><p> <a name="footnote18"> <font color="#0066cc">[18]</font></a>&#160; See generally PMOS, Standard 2.</p><p> <a name="footnote19"><font color="#0066cc">[19]</font></a>&#160; 12 CFR 1239.12.</p><p> <a name="footnote20"><font color="#0066cc">[20]</font></a>&#160; 12 CFR 1239.13.</p><p> <a name="footnote21"><font color="#0066cc">[21]</font></a>&#160; Ibid.</p><p> <a name="footnote22"><font color="#0066cc">[22]</font></a>&#160; As senior vice presidents, the Enterprises' compliance officers fit within the regulatory definition of executive officer.&#160; See 12 CFR 1230.2.</p><p> <a name="footnote23"><font color="#0066cc">[23]</font></a>&#160; PMOS, Standard 9&#58; Principles 4, 5, and 10.&#160; See also <em>Oversight of Third-Party Provider Relationships, </em>AB 2018-08.</p><p> <br>&#160;&#160;</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. &#160;Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. &#160;Questions about this advisory bulletin should be directed to&#58;&#160; <a>SupervisionPolicy@fhfa.gov</a>. </p></td></tr></tbody></table>10/3/2019 8:48:03 PMHome / Supervision & Regulation / Advisory Bulletins / Compliance Risk Management Advisory Bulletin This advisory bulletin (AB) communicates to Fannie Mae and Freddie Mac (the 6768https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Enterprise Fraud Reporting27298Fannie Mae & Freddie Mac9/18/2019 4:00:00 AMAB 2019-04<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>ADVISORY BULLETIN</strong></p><p> <strong>AB 2019-04&#58;&#160; ENTERPRISE FRAUD REPORTING</strong></p></td></tr></tbody></table><p> <span style="text-decoration&#58;underline;"><strong><em></em></strong></span>&#160;</p><p> <span style="text-decoration&#58;underline;"><strong><em>P<span style="text-decoration&#58;underline;"><strong><em>urpose</em></strong></span></em></strong></span></p><p>This advisory bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency's (FHFA) fraud reporting requirements pursuant to 12 CFR Part 1233 (FHFA Regulation).</p><p>This advisory bulletin rescinds and replaces FHFA's Advisory Bulletin AB 2015-02&#58;&#160; <em>Enterprise Fraud Reporting</em>, dated March 26, 2015.</p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p style="text-align&#58;left;">The Housing and Economic Recovery Act of 2008 (HERA) subjects the Enterprises to fraud reporting (12 U.S.C. Section 4642) and requires an Enterprise to submit to FHFA a “timely&quot; report upon discovery that it has purchased or sold a fraudulent loan or financial instrument, or when it suspects a possible fraud related to the purchase or sale of any loan or financial instrument.&#160; </p><p style="text-align&#58;left;">The FHFA Regulation implements the timely reporting requirement of HERA (12 CFR Section 1233.3(a)(1)) and requires immediate notification to the Director of FHFA upon the discovery of any situation that would have a significant impact on an Enterprise (12 CFR Section 1233.3(a)(2)).&#160; The FHFA Regulation grants the Director authority to determine procedures by which the Enterprises will submit such reports (12 CFR Section 1233.3(b)).</p><p style="text-decoration&#58;underline;"> <strong><em>Guidance</em></strong></p><p>The Enterprises should adhere to the guidelines in this advisory bulletin for reporting fraud or possible fraud to FHFA in compliance with the FHFA Regulation and for supervisory oversight purposes.&#160; &#160;</p><p> <em>Immediate Notification</em></p><p>To comply with the immediate notification requirement in the FHFA Regulation, an Enterprise should notify the Director's designee(s) electronically, through secure methods established by FHFA, within one calendar day from when an Enterprise becomes aware of fraud or possible fraud as defined in the FHFA Regulation that may have a significant impact on the Enterprise.&#160; Fraud or possible fraud is considered to have a significant impact if it may create substantial financial or operational risk for the Enterprise, whether from a single event/incident or because it is systemic.&#160; Fraud or possible fraud is also considered significant if it involves a member of the board of directors, officer, employee, or a contractor temporarily engaged to fill a position or perform a particular function at an Enterprise or other individual similarly engaged by an Enterprise.&#160; </p><p>The Enterprise should provide periodic updates to its board of directors, or a committee thereof, of all fraud or possible fraud requiring immediate notification.</p><p> <em>Timely Reporting</em></p><p>To comply with the timely reporting requirement in the FHFA Regulation, an Enterprise should adhere to the following two reporting requirements. </p><p> <span style="text-decoration&#58;underline;">Monthly Fraud Status Report</span></p><p>The Enterprises should submit a monthly fraud status report to FHFA. &#160;The monthly fraud status report shall contain requested information for each occurrence during the month in which the Enterprise has&#58;</p><ol><li>Filed a suspicious activity report (SAR) with the U.S. Department of the Treasury, Financial Crimes Enforcement Network (FinCEN) or</li><li>Discovered that it has purchased or sold a fraudulent loan or financial instrument, or when it suspects a possible fraud related to the purchase or sale of any loan or financial instrument, and the Enterprise has not filed a SAR.<br>&#160;</li></ol><p>FHFA will provide a template that describes the format of the monthly fraud status report and defines the information to be included.</p><p>Each Enterprise should provide the Director's designee(s) with the monthly fraud status report within thirty (30) calendar days after the end of each month, regardless of whether the Enterprise has a reportable event during the period covered by the report.&#160; The report should be sent electronically through secure methods established by FHFA.&#160; </p><p> <span style="text-decoration&#58;underline;">Quarterly Fraud Status Report</span></p><p>On a quarterly basis, the Enterprises should also report to FHFA summary information concerning their fraud risk management environments.&#160; </p><p>FHFA will provide a template that describes the format of the quarterly fraud status report and defines the information to be included.</p><p>Each Enterprise should provide the Director's designee(s) with the quarterly fraud status report within thirty (30) calendar days ​after the end of each calendar quarter.&#160; The report should be sent electronically through secure methods established by FHFA. &#160;<br></p><p> <span style="text-decoration&#58;underline;"><strong><em>Effective Date</em></strong></span></p><p style="text-align&#58;left;">This advisory bulletin becomes effective on January 1, 2020.&#160;​​<br>​<br></p><p style="text-decoration&#58;underline;"> <strong style="font-family&#58;&quot;source sans pro&quot;, sans-serif;font-size&#58;14px;"><em>​Related Guidance</em></strong><br></p><p> <em><a href="/SupervisionRegulation/AdvisoryBulletins/AdvisoryBulletinDocuments/AB2015-07_Fraud-Risk-Management.pdf">Fraud Risk Management</a></em>, Federal Housing Finance Agency Advisory Bulletin 2015-07, September 29, 2015.</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance.&#160; Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. &#160;Questions about this advisory bulletin should be directed to&#58; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>.</p></td></tr></tbody></table>9/18/2019 2:00:34 PMHome / Supervision & Regulation / Advisory Bulletins / Enterprise Fraud Reporting Advisory Bulletin This advisory bulletin communicates to Fannie Mae and Freddie Mac (the 4379https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Business Resiliency Management26708All5/7/2019 4:00:00 AMAB 2019-01<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p style="text-align&#58;left;"> <strong>&#160;</strong><strong>ADVISORY BULLETIN</strong><strong>&#160; </strong></p><p style="text-align&#58;left;"> <strong>AB 2019-01&#58;</strong><strong>&#160; </strong><strong>BUSINESS RESILIENCY MANAGEMENT</strong></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <br> <strong> <em>Purpose</em></strong></p><p>This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance on business resiliency management at Fannie Mae, Freddie Mac, the Federal Home Loan Banks (FHLBanks), and the Office of Finance (OF) (collectively, the regulated entities).<a href="#1">[1]</a>&#160; This AB rescinds and replaces Federal Housing Finance Board Advisory Bulletin 02-3 Disaster Recovery Planning, February 13, 2002.&#160; </p><p>For purposes of this AB, business resiliency management refers to the regulated entity's ability to minimize the impact of disruptions and maintain business operations at predefined levels. &#160;Disruptions can expose the regulated entities to operational, financial, legal, compliance, and reputational risks.&#160; An effective business resiliency management program (program) helps to ensure safe and sound operations at each regulated entity.&#160; </p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p style="text-align&#58;left;">Uncontrolled events, such as natural disasters, pandemics, and cyberattacks, can threaten the regulated entities' ability to perform mission critical operations, such as providing liquidity and access to credit in the mortgage market.&#160; Disruptions in service can expose the regulated entities to a variety of risks and potentially lead to adverse economic consequences in the financial sector.&#160; A program establishes documented strategic processes and procedures that a regulated entity should follow to mitigate and respond to risks in order to continue its business operations. </p><p style="text-align&#58;left;">The core components of a program include the business continuity plan (BCP), disaster recovery plan (DRP) and crisis management plan (CMP) (collectively, plans).&#160; The BCP is the written set of procedures a regulated entity follows to recover, resume, and maintain business functions and their underlying processes at acceptable predefined levels following a disruption.&#160; The BCP accounts for disruptions affecting personnel, equipment, facilities, data, third-party providers, and the technical assets associated with business functions and processes.&#160; The DRP is the documented process to recover and resume the regulated entity's IT infrastructure, business applications, and data services in the event of a major disruption.&#160; The CMP provides documented, coordinated responses to enterprise-wide disruptions, including overseeing the activation of the DRP and BCPs. &#160;</p><p style="text-align&#58;left;">FHFA's general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236 Appendix.&#160; Three relevant PMOS articulate guidelines for a regulated entity's board of directors and senior management to evaluate when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8, especially Standard 8.11), and maintenance of adequate records (Standard 10). &#160;A business resiliency program that is aligned with this AB will meet FHFA's supervisory expectations on the points that the AB addresses, with respect to those standards.&#160; A business resiliency program that is not aligned with this AB may not meet those standards and may not be safe and sound.<a href="#2">[2]</a></p><p style="text-align&#58;left;text-decoration&#58;underline;"> <strong> <em>Guidance</em></strong></p><p>FHFA expects the regulated entities to establish and maintain a program that includes the following&#58;</p><ol style="list-style-type&#58;upper-roman;"><li>Governance</li><li>Business Resiliency Cycle</li><ol style="list-style-type&#58;upper-alpha;"><li>Risk Assessment and Business Impact Analysis</li><li>Risk Mitigation and Plan Development</li><li>Testing and Analysis</li><li>Risk Monitoring and Program Sustainability</li></ol></ol><p>Each regulated entity should establish its program in alignment with its enterprise-wide risk management program,<a href="#3">[3]</a> and in accordance with all relevant FHFA guidance.&#160; The regulated entity should develop strategies, policies, procedures, and internal standards that apply to the program.&#160; The program should guide the regulated entity to respond appropriately to disruptions affecting business operations, personnel, equipment, facilities, IT systems, and information assets.&#160; In order to remain current and effective, the program should adopt a cyclical, process-oriented approach that incorporates the following steps&#58; (1) risk assessment and business impact analysis, (2) risk mitigation and plan development, (3) testing and analysis, and (4) risk monitoring and program sustainability. &#160;</p><p> <strong>I.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Goverance</strong></p><p>The board of directors or a committee thereof (board) is responsible for maintaining a strong business resiliency culture and overseeing the program.&#160; The board provides oversight of senior management's implementation of the program and maintenance of plans that reflect the regulated entity's current operating environment and risk appetite.&#160; The board should review and approve the enterprise-wide business resiliency strategic objectives of the program on an annual basis.&#160; &#160;</p><p>As delegated by the board, senior management<a href="#4">[4]</a> is responsible for executing the program.&#160; Senior management ensures that&#58;</p><ul style="list-style-type&#58;disc;"><li>Each step of the program is carried out by assigned personnel with clear roles and responsibilities;</li><li>There are designated resources and qualified personnel from across the regulated entity's business units and operations to develop and implement plans;&#160; </li><li>Employees are adequately trained and participate in testing exercises, as necessary, to demonstrate understanding of their role when plans are activated in the event of a disruption; </li><li>There is sufficient communication and coordination to properly execute plans and maintain enterprise-wide business resiliency;&#160; </li><li>Effective reporting and metric requirements are in place, such as reviewing internal audit reports and providing reports to the board;&#160; </li><li>The review and approval of plans involving critical business functions are conducted on an annual basis or when there are material changes in the operating environment that affect critical business functions; and</li><li>The board is informed of significant issues involving the strategies, plans, or testing of critical business functions. </li></ul><p> <strong>II.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; Business Resiliency Cycle</strong></p><p> <em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; A.&#160; Risk Assessment and Business Impact Analysis</em></p><p>Developing an effective plan begins with a risk assessment that determines the potential threats to a regulated entity's business operations.&#160; A risk assessment considers the full spectrum of scenarios that could affect operations, ranging from low impact, high probability occurrences (such as power or telecommunication disruptions) to low probability, high impact occurrences (such as pandemics or natural disasters).&#160; As part of the risk assessment process, the regulated entity should take into account disruptions involving information services, equipment, personnel, facilities, and services by third-party providers.&#160; The regulated entities should also consider their proximity to infrastructure in conjunction with their susceptibility to threats.&#160; </p><p>The business impact analysis (BIA) assesses and prioritizes those business functions and processes, including their associated technical assets, that must be recovered after a disruption.&#160; The BIA should identify the potential impact of uncontrolled events on the regulated entity's ability to execute its business functions and processes.&#160; The regulated entity should also consider the impact of disruptions on its ability to perform its role in the financial marketplace, satisfy legal and regulatory requirements, follow safe and sound practices, maintain public confidence, and achieve its strategic goals.&#160; </p><p>Conducting a thorough and accurate BIA is the basis for developing effective plans and a comprehensive program for the regulated entity.&#160; As part of the BIA, the regulated entities should identify business functions and processes, evaluate and compare business function requirements, and identify interdependencies between critical systems, departments, personnel, and services that may be compromised during a disruption.&#160; The BIA should be risk-focused, taking into consideration the priority of certain business functions and processes. &#160;The BIA should be conducted at least annually.&#160; </p><p>Recovery point objectives (RPOs) and recovery time objectives (RTOs) are calculated results informed by the BIA.&#160; An RPO defines the maximum level of data loss (in terms of time) that can be afforded during a failure.&#160; An RTO estimates the maximum allowable downtime for business processes and associated technical assets that should be recovered after a disruption.&#160; The regulated entity should additionally consider how RTOs and RPOs affect data recovery and reconciliation, especially when business and IT interdependencies are involved.&#160; RTOs inform the regulated entity on how it should categorize and group business processes and technical assets from the most critical functions to the least critical.</p><p> <em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; B.&#160; Risk Mitigation and Plan Development</em></p><p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;<span style="text-decoration&#58;underline;">Risk Mitigation</span></p><p>The regulated entity should use the results from the risk assessment and BIA to determine appropriate recovery solutions that mitigate the risk of a disruption to a level that is acceptable for its business functions and processes.&#160; The recovery solutions may include data synchronization, redundant vendor support, alternative power sources, high-availability technologies for critical business functions, fire detection and suppression systems, and additional reserves of critical equipment and supplies.&#160; The regulated entity should also consider the appropriate insurance coverage for its business, taking into consideration the BIA findings and its risk profile.</p><p>Some business functions have high availability requirements where even minimal downtime presents risk. &#160;The regulated entities should have an alternate, geographically distinct data center as an enterprise-wide disaster recovery solution that maintains availability within pre-determined RTOs and RPOs.&#160; Alternatively, the regulated entity can rely on its cloud service provider.<a href="#5">[5]</a>&#160; A geographically distinct data center should be at an appropriate distance from the regulated entity's primary operations and should not be subject to the same inherent risks as the primary site during a disaster.&#160; Pursuant to the DRP, the alternate site would be activated to recover, by priority, the technical assets of the primary location.&#160; The facility should be capable of operating at the regulated entity's normal volume and be available for use until the regulated entity achieves full recovery from the disaster. &#160;For any FHLBank, partnering with another FHLBank is a useful strategy for short-term resumption of certain business processes, but by itself should not be considered an adequate disaster recovery solution.&#160; </p><p>If a third-party provider is used to mitigate business resiliency risk, the regulated entity should evaluate, according to the risk assessment or BIA, whether its business resiliency objectives are met within its third-party provider risk management framework.<a href="#6">[6]</a>&#160; Commensurate with the risk involved, the regulated entity should consider the strength of a third-party provider's business resiliency program. </p><p>The regulated entities should also consider risk mitigation strategies in addition to those addressing RPOs and RTOs.&#160; For instance, a senior management-approved response plan to handle media inquiries can reduce the risk of reputational harm after a disruptive event.&#160; FHFA also encourages the regulated entities to contact federal, state, and local authorities as needed to determine specific risks or exposures for their geographic location and requirements for accessing emergency zones.&#160; The regulated entities should consider taking advantage of government-sponsored emergency programs and coordinating with agencies, emergency personnel, and service providers during the recovery and resumption of operations.</p><p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <span style="text-decoration&#58;underline;">Plan Development</span></p><p>The regulated entity should document how to implement the risk mitigation strategies and recovery solutions in its plans.&#160; Plans should include short-term and long-term recovery operations with steps to transition back to normal business based on the criticality of the business functions and processes affected.&#160; Plans should also account for internal and external dependencies in the event that third-party providers,<a href="#7">[7]</a>&#160;personnel, or certain equipment are unavailable or inefficient.&#160; Plans should avoid single points of failure as the strength of a plan can be diminished by weak components. &#160;If the regulated entity outsources the development of its plans, it is responsible for choosing a service provider that has the requisite expertise appropriate for the entity's size, complexity, and risk environment.&#160;&#160; </p><p>The regulated entity's plans should include the following&#58;</p><ul style="list-style-type&#58;disc;"><li>The assumptions used to develop each plan, understanding that certain assumptions may not be met when a plan is activated;</li><li>Criteria to trigger activation of the plan and escalate incidents, if appropriate;</li><li>Assigned roles and responsibilities for personnel to activate and execute the plans;</li><li>Contingency plans for technical assets, where appropriate;</li><li>Incident response measures to protect the availability, confidentiality, and integrity of information;</li><li>Current contact information for employees, customers, service providers, municipal authorities, and emergency response personnel that is readily accessible at off-site locations; </li><li>Internal and external communication protocols, including notifying FHFA, the board, and customers, and call trees and employee notification procedures;</li><li>Relocation strategies to other facilities and remote access policies and standards if personnel are working from a remote location in the event of a disaster; and</li><li>References to emergency response measures to prevent loss of life and minimize injury and property damage.</li></ul><p>The regulated entity should prioritize the recovery of its business functions and processes according to the RTOs and RPOs as stated in each plan. &#160;Each business function, process, and associated technical asset should map to a BCP.&#160; Technical assets should also be accounted for in the DRP as they relate to the prioritized recovery and protection of the regulated entity's IT infrastructure, business applications, and data. &#160;The regulated entity should determine the enterprise-wide risk thresholds that trigger activating the CMP and the corresponding steps to respond to such incidents at an enterprise level.&#160; The regulated entity should consider the operational, legal, compliance, financial, and reputational risks involved when determining the thresholds to trigger the CMP.&#160; The CMP should include the coordinated responses to implement the DRP and BCPs, handle media inquiries, and oversee emergency response measures.</p><p> <em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; C.&#160; Testing and Analysis</em></p><p>Testing demonstrates how well each plan achieves the business resiliency objectives defined by the regulated entity.&#160; Each regulated entity should develop a testing program that includes policies, standards, and procedures that address test planning, execution, reporting of test results, and test revisions, as necessary.&#160;&#160;&#160; </p><p>Senior management should designate personnel to oversee the testing of plans and allocate adequate time and resources for test exercises.&#160; Senior management is also responsible for ensuring that employees are aware of their roles (i.e., administrator or participant) in executing tests regularly.&#160; Test plans should periodically rotate employee roles, as appropriate, to reduce reliance on specific individuals who may not be available during a disruptive event.&#160; Testing of plans involving critical business functions should be completed at least annually, and when material changes occur to the business operating environment.&#160; The frequency of testing should be consistent with the criticality of the business function, but should not jeopardize normal business operations.</p><p>Prior to each test, management should validate the testing methods to identify potential problems.&#160; Test plans or exercises should be evaluated to assess whether test objectives are feasible and whether assumptions used in developing the test strategy are reasonable.&#160; Testing of plans should align with the risk assessments and the BIAs to validate pre-determined RPOs and RTOs.&#160; Additionally, priority-based testing should&#58;</p><ul style="list-style-type&#58;disc;"><li>Incorporate a variety of threats, event types, and crisis management scenarios that range from isolated system failures to full-scale disruptions;</li><li>Evaluate identified internal and external interdependencies, including the testing of primary and alternate facilities with key third-party providers; </li><li>Progressively increase in scope and complexity, functions, physical locations, and participants; testing should ultimately process at least a full day's work at the regulated entity's normal levels;</li><li>Include a full-scale DRP test to confirm the entity's ability to conduct and sustain normal business in an alternate data center and the ability to return to pre-defined levels of operations in the primary data center; and</li><li>Over time, adapt to changes in the regulated entity's business activities and risk profile.&#160; </li></ul><p>Internal audit or a qualified independent third party should review the testing program and conduct an independent assessment of selected tests, including the underlying assumptions and methodology.&#160; Management should have oversight of key tests that are observed, verified, and evaluated by the independent party in order to validate the testing process and accuracy of test results.&#160; Test results, deviations from test plans, problems identified during testing, and any specified remediation steps should be properly documented. </p><p>Test results should be periodically analyzed to determine if problems identified during testing can be traced to a common source, remediated, and resolved through revisions to the testing program.&#160; Problems encountered during testing should be corrected and retested in a timely manner.&#160; Test participants or test owners can also provide suggestions to the test scenarios, plans or scripts to improve the test program.&#160; Once tests are completed and assessed, the test program should be updated to address any gaps identified during tests and retested, as necessary, for robustness and effective remediation within a reasonable timeframe.&#160; </p><p> <em>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; D.&#160; Risk Monitoring and Program Sustainability</em></p><p>The regulated entity should also implement risk monitoring to track how changes to the business operating environment, including personnel, technologies, equipment, or third-party providers, may affect business resiliency strategies and plans.&#160;&#160; </p><p>Regular reports of test results and risk monitoring inform senior management of the effectiveness of the regulated entity's program.&#160; Senior management should use this information to determine if gaps exist between the risk assessment or BIA and the existing plans in place.&#160; Based on this gap analysis, RPOs and RTOs may need to be reassessed and risk mitigation strategies may need to be evaluated for particular plans.&#160; Management or plan administrators should revise plans based on test results or when material changes occur to the current business operating environment—including changes to personnel and internal and external dependencies, such as reliance on other business units or outsourced activities.&#160; Relevant business line managers and stakeholders should also be informed of test results so they can address material business resiliency problems identified during testing.&#160; The test and/or audit reports of third-party providers, lessons learned from an actual event, and any emerging risks identified should also be used in a gap analysis for each step of the program.&#160; Updates to plans should be completed in a timely manner and revised plans should be communicated and made available to appropriate managers and employees. </p><blockquote dir="ltr" style="margin-right&#58;0px;"> <strong> <em> <br>Related Guidance</em></strong></blockquote><blockquote dir="ltr" style="margin-right&#58;0px;"><blockquote dir="ltr" style="text-align&#58;left;margin-right&#58;0px;"><blockquote style="margin-right&#58;0px;"><p>12 CFR Part 1236 Prudential Management and Operations Standards, Appendix.<br><br><em>Oversight of Third-Party Provider Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2018-08, September 28, 2018.<br><br><em>Cloud Computing Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2018-04, August 14, 2018.<br><br><em>Information Security Management</em>, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017.<br><br><em>Internal Audit Governance and Function</em>, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016.<br><br><em>Data Management and Usage</em>, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016.<br><br><em>Operational Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2014-02, February 18, 2014. <br><br><em>Contingency Planning for High-Risk or High-Volume Counterparties</em>, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013. <br><br><em>Business Continuation Contingency Planning</em>, Federal Housing Finance Board Advisory Bulletin 03-2, February 10, 2003.<br><br><em>Disaster Recovery Planning</em>, Federal Housing Finance Board Advisory Bulletin 02-3, February 13, 2002 (rescinded by this advisory bulletin).&#160;<br><br></p></blockquote></blockquote></blockquote><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p style="text-align&#58;left;">FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance.&#160; Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance.&#160; <br>Questions about this advisory bulletin should be directed to&#58;&#160; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov</a>. </p></td></tr></tbody></table> <p> <u></u>&#160;</p><p> <a name="1">[1]</a>&#160;The OF is not a “regulated entity&quot; as the term is defined by statute (<em>see</em> 12 U.S.C. 4502(20)).&#160; However, for convenience, references to the “regulated entities&quot; in this AB should be read to also apply to the OF.&#160; </p><p> <a name="2">[2]</a>&#160;12 CFR 1236.4</p><p> <a name="3">[3]</a>&#160;12 CFR 1239.11(a).</p><p> <a name="4">[4]</a>&#160;The term “senior management&quot; refers to those employees who plan, direct, and formulate policies, and provide the overall direction of the regulated entity for the development and delivery of products or services, within the parameters approved by the board.</p><p> <a name="5">[5]</a>&#160;<em>See Cloud Computing Risk Management</em>, AB 2018-04.</p><p> <a name="6">[6]</a>&#160;<em>See Oversight of Third-Party Provider Relationships</em>, AB 2018-08.</p><p> <a name="7">[7]</a>&#160;Ibid.</p>5/7/2019 7:00:50 PMHome / Supervision & Regulation / Advisory Bulletins / Business Resiliency Management Advisory Bulletin This advisory bulletin (AB) provides Federal Housing Finance Agency 5350https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Oversight of Third-Party Provider Relationships25812All9/28/2018 4:00:00 AMAB 2018-08<div class="custom-contentTypeContent"><div aria-labelledby="ctl00_PlaceHolderMain_ctl04_label" style="display&#58;inline;"><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​ADVISORY BULLETIN</strong></p><p> <strong>AB 2018-08&#58;&#160; OVERSIGHT OF THIRD-PARTY PROVIDER RELATIONSHIPS</strong></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <strong><em><br>Purpose</em></strong></p></div></div><p>This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance to Fannie Mae<strong> </strong>and<strong> </strong>Freddie Mac, the Federal Home Loan Banks (FHLBanks), and the Office of Finance (OF) (collectively, the regulated entities<a href="#1">[1]</a>) on assessing and managing risks associated with third-party provider relationships.&#160; For the purposes of this AB, a third-party provider relationship is a business arrangement between a regulated entity and another entity that provides a product or a service.<a href="#2">[2]</a>&#160; When entering into third-party provider relationships, the regulated entities can be exposed to financial, operational, legal, compliance, and reputational risk.&#160; Effective risk management of third-party provider relationships is essential to the safe and sound operations of the regulated entities.&#160;</p><p style="text-decoration&#58;underline;"> <em><strong>Guidance</strong></em></p><p>FHFA expects each regulated entity to establish and maintain a third-party provider risk management program (program) that includes the following&#58;</p><ol style="list-style-type&#58;upper-roman;"><li>Governance</li><ol style="list-style-type&#58;upper-alpha;"><li>Responsibilities of the Board and Senior Management</li><li>Policies, Procedures, and Internal Standards</li><li>Reporting</li></ol><li>Third-Party Provider Risk Management Life Cycle Phases</li></ol><ol style="list-style-type&#58;upper-roman;"><ol style="list-style-type&#58;upper-alpha;"><li>Risk Assessment</li><li>Due Diligence in Third-Party Provider Selection</li><li>Contract Negotiation </li><li>Ongoing Monitoring</li><li>Termination</li></ol></ol><p style="text-align&#58;left;">A regulated entity's program should enable oversight of third-party provider relationships in accordance with the level of risk presented, the nature of the relationship, the scale of the outsourced product or service, and the risk inherent in the relationship.&#160; Because of this risk-based approach, aspects of this AB may not apply to every third-party provider relationship.&#160; The regulated entities should ensure that the quality and extent of third-party provider risk management corresponds with the level of risk and the complexity of these relationships.&#160; </p><p style="text-align&#58;left;">FHFA's general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236 Appendix.&#160; Three relevant PMOS articulate guidelines for a regulated entity's board of directors and management to evaluate when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8), and maintenance of adequate records (Standard 10).&#160; In addition, each regulated entity should manage its program as part of its enterprise-wide risk management program and in accordance with all relevant FHFA guidance.<a href="#3">[3]</a>&#160; </p><blockquote dir="ltr"><blockquote dir="ltr"><blockquote dir="ltr"><blockquote dir="ltr"><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><h4> &#160;I.&#160;&#160;&#160;&#160;&#160;&#160; Governance </h4><p> <em>A.&#160;&#160;&#160;&#160; Responsibilities of the Board and Senior Management</em></p></blockquote></blockquote><p style="text-align&#58;left;">The board of directors or board committee (board) should approve a policy establishing the program.&#160; The board-level policy (or management-level policies, as appropriate) should establish criteria for the acceptance and monitoring of risks related to third-party provider engagements and include enterprise-wide risk management processes that reflect the complexity of the regulated entity.&#160; Policies should assign clear roles and responsibilities to entity personnel, establish requirements for documenting decisions concerning third-party providers, and identify internal stakeholders throughout the third-party provider relationship.&#160; Internal audit, or an independent third party if specialized expertise is required, should audit the program periodically, including review of third-party assessments.</p><p>The regulated entity's board is responsible for oversight of the program, while senior management is responsible for executing the regulated entity's program and applicable policies on behalf of the board, consistent with established delegations.&#160; Each regulated entity's board should ensure that senior management has effective processes in place to manage risks related to third-party provider relationships, consistent with the regulated entity's strategic goals, organizational objectives, and risk appetite.&#160; </p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>B.&#160;&#160;&#160;&#160; Policies, Procedures, and Internal Standards</em></p></blockquote><p style="text-align&#58;left;">The regulated entities should establish and implement risk management processes in their policies that clearly define risk categories for the oversight of third-party provider relationships.&#160; Risk categories should consider the type and degree of risk inherent in the relationship, the scope and breadth of the third-party provider relationship, the nature of the product or service provided, and the ability to find an acceptable replacement for the third-party provider. &#160;In addition to categorizing these relationships, the regulated entity should document and consistently update its inventory of third-party providers.&#160; The regulated entity's program should articulate governance standards for risk-based due diligence, monitoring, and oversight that reflect the defined risk categories.&#160; The more risk a third-party provider relationship poses to the regulated entity, the more rigorously the regulated entity should perform these activities.&#160; Documentation requirements should correspond to the risk category or the nature of the third-party provider relationship.&#160; Other factors considered in establishing a risk-based approach include third-party provider relationships that could&#58; </p><ul style="list-style-type&#58;disc;"><li>Cause a regulated entity to face significant business, operational, legal, compliance, or reputational risk if the third-party provider fails to meet its obligations;</li><li>Require significant resources and costs to implement and manage the risk (such as a third-party provider that has an integral role in the regulated entity's operations or a financial technology firm that leverages emerging technologies); or</li><li>Have a major effect on the regulated entity's operations if it needs to procure an alternate third-party provider or has to perform the service in house.</li></ul><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>C.&#160;&#160;&#160;&#160; Reporting</em> </p></blockquote><p> The regulated entity should implement a reporting system that provides management sufficient information to adjust the program, including policy, resources, expertise, and controls.&#160; Management should receive periodic reports from program stakeholders about commencing new third-party provider relationships, continuing existing ones, or terminating arrangements that do not meet expectations or no longer align with the goals of the regulated entity.&#160; Regular reports to management could incorporate the documentation of phases of the third-party provider relationship, such as analysis of costs, or reputational risks found during ongoing monitoring.&#160; Reports should contain sufficient detail to adequately inform the intended audience and sufficiently support related business decisions.</p><p> To assist the board in oversight of the program, management should provide the board with regular enterprise-wide reports on the regulated entity's management of risks associated with third-party providers.&#160; Management should also notify the board of significant third-party risks, such as business interruptions and terminations for cause, or third-party provider relationships that approach the regulated entity's risk appetite limits.&#160;&#160;</p><p>&#160;</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><h4>II.&#160;&#160;&#160;&#160;&#160;&#160;&#160; Third-Party Provider Risk Management Life Cycle Phases</h4></blockquote><p style="text-align&#58;left;">An effective program should include policies and procedures that cover all phases of the regulated entity's third-party provider relationship life cycle&#58; &#160;Risk Assessment, Due Diligence in Third-Party Provider Selection, Contract Negotiation, Ongoing Monitoring, and Termination.&#160; The scope and duration of each phase should be consistent with the program's policy, and multiple phases may be addressed simultaneously.&#160; The documentation for each phase is also dependent on whether the phase applies and the extent to which it applies. &#160;The life cycle phases are discussed in more detail below.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <em></em></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>A.&#160;&#160;&#160;&#160; Phase 1 – Risk Assessment </em></p></blockquote><p style="text-align&#58;left;">Each regulated entity's program should include processes to assess the risks associated with engaging a third-party provider to supply a product or service.&#160; These risks may include&#58;</p><ul style="list-style-type&#58;disc;"><li>The operational, compliance, legal, and reputational risks associated with having a third-party provider supply the product or service and the risk that expected benefits do not outweigh the costs;</li><li>The breadth of the products or services that would be delivered by a third-party provider;</li><li>Whether the regulated entity has adequate resources and expertise to monitor the third-party provider relationship;</li><li>The complexity of the arrangement, volume of activity, potential for a third-party provider's use of subcontractors, and the technology required; and</li><li>Potential information security risks associated with giving a third-party provider access to the regulated entity's operating location, information systems, or proprietary or personally identifiable information.</li></ul><p style="text-align&#58;left;">If the regulated entity establishes a third-party provider relationship, the program should provide for management of the associated risks.&#160; As necessary, the risk assessment should include a strategy for the regulated entity to procure adequate resources or expertise to mitigate the risks or justify acceptance of the identified risks.&#160; The regulated entity should review and update its risk assessment and revise risk mitigation strategies when appropriate.&#160; When documenting its risk assessment analysis, the regulated entity should indicate any risk assessment tools used in the process.</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>B.&#160;&#160;&#160;&#160; Phase 2 – Due Diligence in Third-Party Provider Selection</em></p></blockquote><p style="text-align&#58;left;">Each regulated entity should conduct due diligence on a third-party provider before entering into a contract.&#160; The degree of due diligence should be commensurate with the level of risk of the outsourced activity and the complexity of the third-party provider relationship.&#160; A regulated entity should not rely solely on its prior experience or knowledge of the third-party provider as a substitute for an objective risk assessment of the third-party provider's ability to supply a product or service in a safe and sound manner.&#160; A regulated entity may refer to a third-party provider's independent audit, Service Organization Control (SOC) report, or recognized certifications to assess certain aspects of the third-party provider's internal risk management controls.&#160; Due diligence review should align with the severity of the risk.&#160; Due diligence results, findings, and recommendations should be documented.</p><p style="text-align&#58;left;">Due diligence prior to entering into a third-party provider relationship should include an evaluation of financial, operational, legal, compliance, and reputational risks of engaging the proposed third-party provider.&#160; As part of the due diligence review, the regulated entity should consider&#58; </p><ul style="list-style-type&#58;disc;"><li>Whether the proposed third-party provider can offer the product or service in compliance with applicable laws and regulations, as well as the regulated entity's internal policies, procedures, and other requirements;</li><li>The third-party provider's overall business model and how current and proposed business activities may affect the risks presented by the third-party provider; </li><li>The third-party provider's business background, experience, and reputation; </li><li>The financial performance, resources, and condition of the proposed third-party provider;</li><li>The third-party provider's insurance coverage;</li><li>The third-party provider's operational and internal controls, including information security, incident reporting and management, and business continuity programs; </li><li>Concentration risks that may arise from relying on a third-party provider for multiple products or services or from a third-party provider's reliance on subcontractors; </li><li>The extent to which the third-party provider relies on subcontractors to perform its obligations, the controls the subcontractor has in place, and the third-party provider's processes to oversee subcontractors that would be directly involved in the outsourced product or service; </li></ul><ul style="list-style-type&#58;disc;"><li>Any potential conflicts of interest with the directors, officers, or employees of the regulated entity concerning potential third-party providers;<a href="#4">[4]</a> and</li><li>Whether there are third-party fee structures that involve potential risks, such as incentives for inappropriate risk-taking, that could arise as a result of such fee structures.&#160; </li></ul><p style="text-align&#58;left;">Each regulated entity's third-party provider selection process should also be designed to ensure, to the extent possible and consistent with safety and soundness, the inclusion of&#160;minority-, women-, and disabled-owned businesses.<a href="#5">[5]</a></p><p style="text-align&#58;left;">Management should review the due diligence results to determine whether the third-party provider is able to adequately provide the product or service at a level of risk acceptable to the regulated entity.&#160; If the third-party provider cannot meet the regulated entity's requirements, management should consider whether to seek an alternate provider, supply the product or service itself, or mitigate the identified risks to the extent practicable. </p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>C.&#160;&#160;&#160;&#160;&#160;&#160; &#160;Phase 3 – Contract Negotiation </em></p></blockquote><p style="text-align&#58;left;">Each contract with a third-party provider should clearly specify the rights and responsibilities of each party.&#160; Consistent with the risk category involved, the regulated entity should consider what level of legal review is necessary for contracts with third-party providers and should ensure that the attorneys conducting the review for a particular contract have the appropriate subject matter expertise or work in conjunction with appropriate subject matter experts. &#160;Copies of executed contracts should be retained for reference and record-keeping purposes.</p><p style="text-align&#58;left;">The regulated entity should consider the following when negotiating contractual provisions with third-party providers&#58;</p><ul style="list-style-type&#58;disc;"><li>The nature and scope of service; </li><li>Duration of service; </li><li>Performance standards and service levels; </li><li>Experience requirements of third-party providers and their contractors;</li><li>Cost and compensation, including the timing and procedures for payment and expense reimbursement;</li><li>Confidentiality, use, location, and security of information; </li><li>Business continuity and contingency plans and test results;</li><li>Intellectual property ownership, rights, and responsibilities; </li><li>Timely disclosure of conflicts of interest or potential conflicts of interest from the third-party provider;</li><li>Incident reporting and management;</li><li>Dispute resolution process (<em>e.g.</em> arbitration, mediation), termination, and remedies; and</li><li>Internal controls and audit reports.</li></ul><p>The regulated entity should address what constitutes nonperformance and the conditions under which the contract may be terminated by either party.&#160; The contract should also stipulate the circumstances for and responsibilities when termination occurs.&#160; If the regulated entity could no longer legally engage a third-party provider,<a href="#6">[6]</a> the contract should include a provision that enables the regulated entity to terminate the contract for regulatory noncompliance.&#160; </p><p style="text-align&#58;left;">The regulated entity should also ensure that contracts address compliance with the specific laws, regulations, and guidance applicable to the regulated entity, including the regulated entity's right to obtain necessary information to conduct ongoing risk assessments, as well as monitor performance and ensure contract compliance.&#160; Contracts should also address whether the regulated entity has the right to conduct periodic on-site reviews to verify compliance.&#160; If contracts allow for subcontracting, the regulated entity generally should seek to ensure that the primary third-party provider remains responsible for the performance of its subcontractors in accordance with the terms of the primary contract, and be notified of the identity of any material subcontractors, when appropriate. </p><p style="text-align&#58;left;">Contracts for third-party providers should address, as appropriate, the provider's responsibility for continuation of the product or service in the event of an operational failure, such as man-made and natural disasters.&#160; Contracts should address requirements for third-party providers to back up information and maintain disaster recovery and contingency plans with sufficiently detailed operating procedures.&#160; </p><p style="text-align&#58;left;">Other issues such as the maintenance of adequate insurance, ownership of data or licenses, privacy, and liability limitations should be considered, as applicable.&#160; For example, the regulated entity should consider potential legal and security risks to cross-border data storage, transmission, and processing.&#160;&#160;&#160;</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>D.&#160;&#160;&#160; Phase 4 – Ongoing Monitoring</em></p></blockquote><p style="text-align&#58;left;">The nature and extent of monitoring of the performance of third-party provider relationships should be commensurate with the level of risk.&#160; Management should also ensure that the regulated entity retains sufficient staff with the necessary expertise, authority, and accountability to oversee and monitor the third-party provider relationship.&#160; The approach (<em>e.g.</em>, on-site versus off-site review), depth, scope, and frequency of the monitoring and oversight activities should correspond to the risk category involved.&#160; If the regulated entity outsources any part of its monitoring and oversight, management is responsible for choosing a service provider appropriate for the entity's size, complexity, and risk environment.&#160; </p><p style="text-align&#58;left;">Ongoing monitoring should include the due diligence activities referenced in Phase 2 that apply to the particular third-party provider relationship.&#160; Management of the regulated entity should also consider whether the third-party provider is&#58;</p><ul style="list-style-type&#58;disc;"><li>Meeting service-level agreements, performance metrics, and other contractual terms; </li><li>Monitoring and evaluating subcontractor controls that are relevant to the contract work being performed;</li><li>Engaged in agreements with other entities that may pose a conflict of interest or present risks; </li><li>Performing periodic background checks; and</li><li>Complying with applicable legal and regulatory requirements, including documenting such compliance when necessary.</li></ul><p style="text-align&#58;left;">Because both the level and types of risks may change over the lifetime of a third-party provider relationship, a regulated entity should ensure that its ongoing monitoring adapts accordingly.&#160; Periodic assessments should be conducted to determine whether the product or service remains necessary or relevant to the regulated entity's mission or operations.&#160; Each regulated entity should also periodically assess existing third-party provider relationships to determine whether the nature of the product or service provided has changed, resulting in the need for re-designation to a new risk category. &#160;Management should review existing third-party provider contracts to determine whether the terms and conditions address current risks associated with having the product or service supplied by the third-party provider.&#160; Where concerns are identified, the regulated entity should consider addressing those concerns by negotiating an amendment to the contract where appropriate, or revising the contract prior to a renewal. &#160;</p><p style="text-align&#58;left;">When a regulated entity identifies concerns through ongoing monitoring, it should seek to resolve the issues at the earliest opportunity.&#160; Management should ensure procedures exist to escalate issues such as service agreement performance, material weaknesses and repeat audit findings, deterioration in financial condition, security breaches, data loss, or compliance lapses.&#160; Additionally, management should ensure that the regulated entity's controls for managing these risks from third-party provider relationships are tested regularly.&#160; Weaknesses identified that substantively increase the risk to the regulated entity should be reported to the board based on an assessment of the level of associated risk.</p><p style="text-align&#58;left;">Any assessments and analyses performed during this phase should be documented, as well as any regular risk management and performance reports received from the third-party provider (<em>e.g.</em>, audit reports, security reviews, and reports about compliance with service-level agreements).</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>E.&#160;&#160;&#160;&#160; Phase 5 – Termination</em></p></blockquote><p style="text-align&#58;left;">The terms of each contract will govern how a regulated entity or a third-party provider may terminate the contractual relationship.&#160; A regulated entity may wish to terminate a third-party provider relationship for various reasons, including&#58;&#160;</p><ul style="list-style-type&#58;disc;"><li>Expiration, completion, or satisfaction of the contract;</li><li>Breach of contract;</li><li>To engage an alternate third-party provider;</li><li>To discontinue the product or service; </li><li>To bring the product or service in house; or</li><li>To comply with an FHFA order directing suspension of the third-party provider relationship. </li></ul><p style="text-align&#58;left;">Each regulated entity should have strategies and contingency plans in place to terminate third-party provider relationships in an efficient manner that minimizes risk to the regulated entity, whether the outsourced product or service is transitioned to another third-party provider, brought in house, or discontinued. The regulated entity should consider&#58;</p><ul style="list-style-type&#58;disc;"><li>The capabilities, resources, and time frames required to transition the product or service while still managing legal, regulatory, and other risks;</li><li>Risks associated with data retention and destruction, information system connections and access control issues, or other control concerns that require additional risk management and monitoring during and after the end of the third-party provider relationship;</li><li>Intellectual property ownership, rights, and responsibilities, as well as the handling of any joint intellectual property developed during the course of the arrangement; </li><li>The return of any regulated entity's information in the third-party provider's possession after voluntary or involuntary termination of the contract;</li><li>Reputational risks to the regulated entity if the termination results from the third-party provider's inability to meet expectations; and</li><li>Roles and assistance with transfer or wind down of the outsourced product or service upon termination.</li></ul><p style="text-decoration&#58;underline;"> <strong> <em>Related Guidance</em></strong></p><p>12 CFR Part 1236 Prudential Management and Operations Standards, Appendix. </p><p> <em>Cloud Computing Risk Management, </em>Federal Housing Finance Agency Advisory Bulletin 2018-04, August 14, 2018.</p><p> <em>Oversight of Multifamily Seller/Servicer Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2018-05, August 14, 2018.</p><p> <em>Information Security Management</em>, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017.</p><p> <em>Internal Audit Governance and Function</em>, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016.</p><p> <em>Data Management and Usage,</em> Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016.</p><p> <em>Information Technology Investment Management,</em> Federal Housing Finance Agency Advisory Bulletin 2015-06, September 21, 2015.</p><p> <em>Oversight of Single-Family Seller/Servicer Relationships, </em>Federal Housing Finance Agency Advisory Bulletin, 2014-07, December 1, 2014.</p><p> <em>Operational Risk Management,</em> Federal Housing Finance Agency Advisory Bulletin, 2014-02, February 18, 2014. </p><p> <em>Model Risk Management, </em>Federal Housing Finance Agency Advisory Bulletin 2013-07, November 20, 2013.</p><p> <em>Contingency Planning for High-Risk or High-Volume Counterparties</em>, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013.</p><p>___________________________________________<br></p><p> <a name="1">[1]</a> The OF is not a “regulated entity&quot; as the term is defined by statute (<em>see </em>12 U.S.C. 4502(20)).&#160; However, for convenience, references to the “regulated entities&quot; in this AB should be read to also apply to the OF.&#160; </p><p> <a name="2">[2]</a> This AB does not apply to business arrangements through which a FHLBank provides products or services to its members or housing associates, or to a FHLBank's business arrangements with sponsors participating in its Affordable Housing Program.&#160; &#160;</p><p> <a name="3">[3]</a> 12 CFR 1239.11(a).</p><p> <a name="4">[4]</a> 12 CFR 1239.10(a).</p><p> <a name="5">[5]</a> 12 CFR 1223.2, 1223.21.</p><p> <a name="6">[6]</a><em>See, e.g.</em>, 12 CFR Part 1227.</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58;&#160;<a href="mailto&#58;SupervisionPolicy@fhfa.gov.f">SupervisionPolicy@fhfa.gov</a>.</p></td></tr></tbody></table>​<br></blockquote></blockquote></blockquote>9/28/2018 6:30:25 PMHome / Supervision & Regulation / Advisory Bulletins / Oversight of Third-Party Provider Relationships Advisory Bulletin AB 2018-08:  OVERSIGHT OF THIRD-PARTY PROVIDER 11180https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx

© 2021 Federal Housing Finance Agency